security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
564 Commits 1 Branch 0 Tags
bcc8b6922cd791e55158523ecc38d0d17c986010
Commit Graph

31 Commits

Author SHA1 Message Date
Justin Ibarra d4cc4432ce Add tests to ensure rules are properly deprecated (#1050) 
* Add tests to ensure rules are properly deprecated
* add deprecate-rule command
 2021-03-16 21:31:33 -08:00
Justin Ibarra fc9dfde2c4 Generate an integrations package from a release (#983) 
* Generate an integrations package files during a release build
 2021-03-09 13:30:12 -09:00
Justin Ibarra 0b65678d8c [Rule tuning] Correct tags with associated threat mappings (#1003) 2021-03-08 14:12:29 -09:00
Justin Ibarra 0e0b2ea1a4 Update schema for threshold rule type for 7.12 (#976) 
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
 2021-03-05 14:35:50 -09:00
Justin Ibarra 0ef7d87b34 [Rule Tuning] Fix inconsistent rule indexes (#974) 
* [Rule Tuning] Fix inconsistent rule indexes
* cleaned up tests that load rules to leverage setUpClass
 2021-03-05 11:16:02 -09:00
Brent Murphy 4d3ef43b01 [Rule Tuning] Update "Endpoint Security" to "Elastic Endgame" for the relevant Endgame promotion rules (#978) 
* update Endpoint Security to Elastic Endgame for relevant rules

* Update elastic_endpoint_security.toml

* Update test_all_rules.py
 2021-03-04 17:21:17 -05:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) 
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
 2021-02-17 19:49:58 -09:00
Justin Ibarra d57394816f [FR] Index rules from repo to elasticsearch (#932) 
* Add commands to generate index rules files or index them directly to elasticsearch
* files generated at package creation
* add readme explaining these index files
 2021-02-10 10:37:26 -09:00
Justin Ibarra a0e86e20d6 [Rule Tuning] Add windows integration index to rules (#923) 2021-01-28 20:53:57 -09:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Ross Wolf 7dcb666d81 Fix 7.11 -> 7.10 ATT&CK downgrade logic for optional techiques (#736) 2020-12-18 09:28:05 -07:00
Justin Ibarra e272800a5d Add ATT&CK sub-technique support to CLI (#614) 
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
 2020-12-08 21:56:55 -09:00
Ross Wolf 8c92ae7348 Add ATT&CK subtechniques to the schema (#337) 
* Add ATT&CK subtechniques to the schema
* Switch subtechniques to the 7.11 schema
* Make technique still required
* Lint fixes
* Cleanup EQL constant
* Trim more cruft
* Restore EQL for 710

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 14:57:30 -07:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Justin Ibarra ad4a2ef0eb Add test commands to search and survey rule hits (#485) 2020-11-17 13:08:00 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Brent Murphy 2e422f7159 [Rule Tuning] Minor Rule Tweaks for 7.10 (#400) 
* Tweak Rules for 7.10

* Add endpoint index for packetbeat rules

* update unit test to account for Network tag as well

* update modified date, add endpoint tag

* use Host instead of Endpoint

* Update packaging.py

* add v back to changelog url

* Add "tag" comment to get_markdown_rule_info

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-10-22 09:07:04 -04:00
Justin Ibarra d3226c72c9 Add test for tactic in rule filename (#398) 2020-10-20 14:48:33 -08:00
Justin Ibarra 758e4a2c5b Add unit tests for rule tags (#359) 2020-10-07 19:29:19 -08:00
Justin Ibarra bf202b6b6c [New Rule] Initial converted EQL rules (#304) 
* 18 converted eql rules (not all prod)
 2020-09-30 21:40:55 -08:00
Justin Ibarra 7c1e9c1ed5 Update package summary extras produced during package generation (#341) 
* update summary.txt
* add summary.xlsx
* add changelog entry autogeneration
 2020-09-30 14:43:45 -08:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Ross Wolf 9d22970e21 Add EQL rules and schema validation (#297) 
* Add EQL rules and schema validation
* Lint nitpick
* Rename get_schema_from_eql
* Add EQL default language
* Rename parsed_kql to parsed_query
* Fix parsed_kql method call in loader
* Autopopulate dependent values
 2020-09-16 08:36:48 -06:00
Ross Wolf 464d5e645a Fix kibana-upload and remove cumbersome dataclasses (#216) 
* Fix kibana-upload and remove cumbersom dataclasses

* Linting fixes
 2020-09-01 05:47:27 -06:00
Ross Wolf d15da0ada1 Add versioned schemas with a downgrade path (#84) 
* Add versioned schemas with a downgrade path
* Remove and move unused variables
* Add missing license
* Skip NotField for output_index
* Add strip_additional_properties for kibana import
* Remove stray comment
* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-23 11:39:35 -06:00
Ross Wolf 5f867dbb72 Add KQL -> DSL conversion (#81) 
* Add KQL -> DSL converter
* Lint with black to 120 chars
* Add more tests and flatten shoulds
* Fix NotValue conversion to DSL
 2020-07-22 11:05:45 -06:00
Ross Wolf 4fe3aaff1a Add test for duplicate file names (#34) 2020-07-08 14:00:28 -06:00
Ross Wolf e2d97b0a74 Remove unreachable and legacy code 
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-30 10:12:23 -06:00
Ross Wolf d51474f0a7 Add unit tests 
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 23:19:25 -06:00