security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
95 Commits 1 Branch 0 Tags
aec3ec31b9cefcbfd96cd4f9f2ba29fe63ca90a8
Commit Graph

95 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
brokensound77 aec3ec31b9 Merge branch '7.9' into main 2020-08-27 15:54:44 -08:00
Ross Wolf 779a3a5b0d Build all branches 2020-08-27 17:35:13 -06:00
Justin Ibarra 4ffdc46ba7 Lock rule versions (#207) 2020-08-27 17:47:29 -05:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Andrew Pease d955ad275e Add help wanted label to contrib (#219) 2020-08-27 10:05:20 -06:00
Ross Wolf 5310ec722a Fix NOTICE.txt typo 2020-08-24 08:06:58 -06:00
Justin Ibarra be08536880 Increase lookback for endpoint rules (#200) 2020-08-21 12:23:43 -05:00
Ross Wolf 1fccc39699 Change verbiage around Elastic license 2020-08-19 11:47:10 -06:00
Justin Ibarra 28c869fb5f Expand documentation on CLI and workflows (#130) 2020-08-18 14:27:51 -05:00
Justin Ibarra 9b70383898 Refresh ecs master and add beats v7.8.1 schemas (#156) 2020-08-17 12:33:20 -05:00
Ross Wolf 08e500e44e Merge locked versions from 7.9 2020-08-04 13:35:25 -06:00
Ross Wolf 69a5b7e409 Lock versions for 7.9 release 2020-08-04 13:35:14 -06:00
Ross Wolf cb1c401e27 Merge branch '7.9' into main 2020-08-03 15:20:36 -06:00
Brent Murphy 01b1e8be26 [Rule Tuning] Update Tags for Cloud Rules (#99) 
* [Rule Tuning] Update Tags for Cloud Rules

* commenting out specifying alphabetical tag order in rule formatter

* Update rule_formatter.py

* py lint

* Lint fix comments

* update modified dates

* Update credential_access_secretsmanager_getsecretvalue.toml

* adding Continuous Monitoring tag

* update tags

* fixed and in tags

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-08-03 17:15:15 -04:00
Ross Wolf a99b7c96fe Merge branch '7.9' into main 2020-08-03 14:03:15 -06:00
Brent Murphy 7efe33e01d [Rule Tuning] Update Index Pattern for Detection Engine Rules (#101) 
* [Rule Tuning] Update Index Pattern for Detection Engine Rules

* update indices
 2020-08-03 15:46:57 -04:00
Ross Wolf 83e33e70bb Rename slack channel 2020-07-30 19:44:02 -06:00
Ross Wolf 0455307577 Downgrade rule version before uploading to Kibana (#97) 
* Downgrade version before uploading to Kibana
* Update downgrade exception format
* Update s/siem/detection

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-28 11:03:47 -06:00
Yara Tercero 3c4a383947 Add list_id to exceptions_list and remove endgame:* from external alerts (#98) 2020-07-28 07:30:48 -06:00
Justin Ibarra 8f5ddbb121 Add better CLI support for handling Kibana exported rules (#83) 2020-07-27 23:31:19 -05:00
Ross Wolf d15da0ada1 Add versioned schemas with a downgrade path (#84) 
* Add versioned schemas with a downgrade path
* Remove and move unused variables
* Add missing license
* Skip NotField for output_index
* Add strip_additional_properties for kibana import
* Remove stray comment
* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-23 11:39:35 -06:00
Ross Wolf 978a8d9df8 [Bug] Set threshold.field to empty string instead of null (#87) 2020-07-22 19:31:09 -04:00
Ross Wolf 4ba23ad6cd Merge branch '7.9' into main 2020-07-22 14:39:18 -06:00
Garrett Spong 4b17cb37f0 Update External Alerts rule index to match default securitySolution:defaultIndex value (#86) 
## Summary
Updates the External Alerts rule index to match default securitySolution:defaultIndex value


``` toml
index = ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
```

Note: extra spaces are from running `toml-lint`

## Contributor checklist

- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)? Yes!
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)? Yes!
 2020-07-22 14:37:19 -06:00
Ross Wolf 5f867dbb72 Add KQL -> DSL conversion (#81) 
* Add KQL -> DSL converter
* Lint with black to 120 chars
* Add more tests and flatten shoulds
* Fix NotValue conversion to DSL
 2020-07-22 11:05:45 -06:00
Brent Murphy b5213e66b2 [Rule Tuning} Correct Promotion Rule Descriptions (#85) 2020-07-22 12:36:18 -04:00
Brent Murphy b4d8985105 [Rule Tuning] Update terms in promotion rules (#72) 
* [Rule Tuning] Update terms in promotion rules

* Update Endpoint terms and lint
 2020-07-21 14:28:30 -04:00
Brent Murphy e08ff6c55d [Rule Tuning] Update Cloud rules with note field (#79) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-21 12:27:42 -04:00
Ross Wolf 16fb306254 Add command to upload to kibana (#58) 
* Add upload command to kibana
* Restore skipped fields
* Change prefix to DR_
* Add note to manage_versions call
* Reorder requirements.txt to trigger build
 2020-07-20 15:58:28 -06:00
David French aaef4b99f4 [New Rule] Okta Brute Force or Password Spraying Attack (#66) 
* Create credential_access_okta_brute_force_or_password_spraying.toml

* Update maturity to production

* Update severity and risk score

* Aggregate by source.ip field

To ensure that investigate in timeline displays expected events

* Update false positive information

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Tweak false positive info

* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-07-20 12:44:59 -06:00
David French 4784342723 [New Rule] AWS IAM Brute Force of Assume Role Policy (#67) 
* Create credential_access_aws_iam_assume_role_brute_force.toml

* Update maturity to production

* Update formatting for query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rule name

* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rule description

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update note field in rule

... to inform users that AWS Filebeat module must be enabled to use this rule.

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* lint rule

* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-07-20 12:43:26 -06:00
Ross Wolf 47cb03314a Fix KQL sorting 2020-07-17 15:09:38 -06:00
Justin Ibarra 1bf60551ff Update lateral_movement_dns_server_overflow.toml 2020-07-17 15:52:04 -05:00
Justin Ibarra 1cfb8f92bb Windows DNS server vulnerability (CVE-2020-1350) rules (#69) 2020-07-17 14:32:52 -05:00
Ross Wolf 89d6498c42 Add webinar link 2020-07-17 09:31:57 -06:00
Justin Ibarra 7647699e2b Add support for threshold rules (#65) 2020-07-16 19:06:34 -05:00
Ross Wolf f1b669e59d Loosen yaml requirement (#62) 
* Loosen yaml requirement
* Bump to ~=5.3
 2020-07-15 09:00:32 -06:00
Justin Ibarra 916917a619 Update rule.py 2020-07-15 09:40:07 -05:00
Ross Wolf db4f50d4b8 Improve the validation and testing time (#61) 
* Improve the validation and testing time
* Lint fix
* Cache schema validation
 2020-07-15 08:05:55 -06:00
Garrett Spong 13ceed5410 Add Global Endpoint Exception List to Elastic Endpoint rule (#60) 2020-07-14 21:26:29 -06:00
Devon Kerr f75b126ec4 Update terminology in ML job rules 2020-07-14 21:22:34 -06:00
Craig Chamberlain f24666bf12 [New Rule] Add Cloudtrail ML Rules 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Devon Kerr <19266650+devonakerr@users.noreply.github.com>
 2020-07-14 15:16:58 -06:00
Ben Skelker 680a04da8f Fix terminology and doc links (#54) 2020-07-13 12:47:42 -06:00
Ross Wolf e96eabaa2e Generate linted .ts in package (#49) 
* Generate linted .ts in package
* (Lin|ni)t changes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-09 17:33:28 -06:00
Garrett Spong c28795c25e [New Rule] Elastic Endpoint and External Alerts (#42) 
* Adds the Elastic Endpoint and External Alerts rules and required schema updates
* Optimizing queries to fix tests
* Apply PEP257 changes
* Apply suggestions from code review
* Update rules/cross-platform/external_alerts.toml
* Last fixes from review
* Fixing test for unrequired default
* Adding increased default max_signals to not interfere with testing
* Make promotions folder
* Refining Elastic Endpoint rule index

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-09 15:24:36 -06:00
Ross Wolf a0b50152b3 Fix new rule template 2020-07-09 10:59:52 -06:00
Ross Wolf 8a561b3817 Add kibana-push command (#38) 
* Add kibana-push command
* Add ctx.exit instead of return
* Make the base branch configurable
 2020-07-08 18:02:12 -06:00
Justin Ibarra 119c98f05f Package kibana index file with release rules (#40) 2020-07-08 18:58:00 -05:00
Ross Wolf 4fe3aaff1a Add test for duplicate file names (#34) 2020-07-08 14:00:28 -06:00
Andrew Pease e0f2e8b4a9 Add dataset and index to network rules (#15) 
* Add dataset and index to network rules
* Restore iptables changes
* Fix beats parsing logic
* Updated date and ECS version
* Only update modules if empty

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-08 13:19:35 -06:00