security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,545 Commits 1 Branch 0 Tags
a6d31d7dfd296e71e2f71e45ccbb78abf20ec311
Commit Graph

5 Commits

Author SHA1 Message Date
Mika Ayenson, PhD 8993d1450b [Rule Tuning] Add Supplemental Mitre Mappings (#5876) 
---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2026-04-01 09:12:42 -05:00
Ruben Groenewoud 39cdb3887f [New/Tuning] TeamPCP Simulation - New & Tuned Rules (#5812) 
* [New/Tuning] TeamPCP Simulation - New & Tuned Rules

* ++

* ++

* Added IGs

* Update event action conditions in TOML rule

Refactor process event conditions for clarity.

* Add cloud-related file access patterns to rules

* Update persistence_suspicious_webserver_child_process_execution.toml

* Update rules/integrations/cloud_defend/defense_evasion_file_creation_execution_deletion_cradle.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_file_creation_execution_deletion_cradle.toml

* Update defense_evasion_file_creation_execution_deletion_cradle.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2026-03-09 17:03:39 +01:00
Ruben Groenewoud 229f3adf75 [New/Tuning] Misc. New D4C Rules and Tunings (#5692) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New/Tuning] Misc. New D4C Rules and Tunings

* Added IGs for High Severity Rules

* Apply suggestion from @Aegrah

* ++

* Update discovery_privilege_boundary_enumeration_from_interactive_process.toml

* ++

* Update rules/integrations/cloud_defend/credential_access_service_account_token_or_cert_read.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/cloud_defend/discovery_service_account_namespace_read.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_interactive_file_creation_followed_by_execution.toml

* Some updates based on feedback

* Rule name changes

* ++

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2026-02-09 16:58:27 +01:00
shashank-elastic 3ee0a72a65 Add investigation guides (#5630) 2026-01-27 14:28:06 +05:30
Ruben Groenewoud c5b64c9fbf [New/Tuning] General API Abuse D4C/K8s Rules (#5591) 
* [New/Tuning] General API Abuse D4C/K8s Rules

* [New Rule] DNS Enumeration Detected via Defend for Containers

* [New Rule] Tool Enumeration Detected via Defend for Containers

* [New Rule] Tool Installation Detected via Defend for Containers

* Service Account File Reads

* [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers

* Rule name update

* [New Rules] D4C K8S MDA API Request Rules

* Add 'tor' to the list of allowed process args

* ++

* ++

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update description

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:59:14 +01:00