security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
154 Commits 1 Branch 0 Tags
baefaeeaffa23e942e4c1a3fa8c3f8d2f4f981ca
Commit Graph

11 Commits

Author SHA1 Message Date
Craig Chamberlain baefaeeaff [New Rule] Unusual Linux Network Connection Discovery (#266) 
* Create ml_linux_system_network_connection_discovery.toml

ML rule to accompany the unsual network connection discovery job

* Update ml_linux_system_network_connection_discovery.toml

set author

* Update ml_linux_system_network_connection_discovery.toml

added fasle positve field

* Update ml_linux_system_network_connection_discovery.toml

* Update ml_linux_system_network_connection_discovery.toml

linting

* Update rules/ml/ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 16:27:17 -04:00
Craig Chamberlain f1f88e3b3a [New Rule] Unusual Linux System Information Discovery Activity (#264) 
* Create ml_linux_system_information_discovery.toml

rule to accompany the system information discovery job

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

added fp field

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

linting

* Update ml_linux_system_information_discovery.toml

* Update rules/ml/ml_linux_system_information_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:25:59 -04:00
Craig Chamberlain 92633ed51a [New Rule] Anomalous Linux Compiler Activity (#262) 
* Create ml_linux_anomalous_compiler_activity.toml

rule to accompany the rare compiler activity job

* Update ml_linux_anomalous_compiler_activity.toml

added fp field

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml
 2020-09-22 16:24:32 -04:00
Craig Chamberlain 8e2d4cbfc8 [New Rule] Unusual Linux System Owner or User Discovery Activity (#267) 
* Create ml_linux_system_user_discovery.toml

ML rule to accompany the unusual system owner / user discovery job

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_system_user_discovery.toml

added fp field

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

lint

* Update ml_linux_system_user_discovery.toml

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:22:41 -04:00
Craig Chamberlain 0a0c5986c5 [New Rule] Anomalous Kernel Module Activity (#257) 
* Create ml_linux_rare_kernel_module_arguments.toml

* rare module rule

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update rules/ml/ml_linux_anomalous_kernel_module_arguments.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:18:51 -04:00
Craig Chamberlain 14a62ae93f [New Rule] Unusual Linux Process Discovery Activity (#261) 
* Create ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

added fp field

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update rules/ml/ml_linux_system_process_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linting

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-09-22 16:15:36 -04:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Devon Kerr f75b126ec4 Update terminology in ML job rules 2020-07-14 21:22:34 -06:00
Craig Chamberlain f24666bf12 [New Rule] Add Cloudtrail ML Rules 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Devon Kerr <19266650+devonakerr@users.noreply.github.com>
 2020-07-14 15:16:58 -06:00
Ben Skelker 680a04da8f Fix terminology and doc links (#54) 2020-07-13 12:47:42 -06:00
Ross Wolf 5fcece8416 Populate rules/ directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 22:57:03 -06:00