security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,170 Commits 1 Branch 0 Tags
bd345d4c19137ffad5bedfc62a22cec8f2629709
Commit Graph

130 Commits

Author SHA1 Message Date
Samirbous 1d57e0c779 Update defense_evasion_deletion_of_bash_command_line_history.toml (#3614) 
* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-07-05 12:58:07 +01:00
Ruben Groenewoud 8d063e1a47 [Rule Tuning] SUID/SGID Bit Set (#3802) 2024-06-27 16:27:00 +02:00
James Valente 0726ce41bf Tune rule to exclude forwarded events. (#3790) 
Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-06-25 13:22:07 +02:00
Terrance DeJesus 020ca4be24 [New Rule] Rapid7 Threat Command CVEs Correlation (#3718) 
* new rule 'Rapid7 Threat Command CVEs Correlation'

* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated threat index and tags

* changed 'indicator match' to 'threat match' for tags

* removed timeline

* updating integrations to match main

* re-adding rapid7 threat command integration manifest and schema

* reverting changes; removing timeline

* changed max signals to 10000

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-12 18:01:44 -04:00
Ruben Groenewoud 90bb8b53d8 [Rule Tuning] Agent Spoofing (#3729) 2024-06-03 19:28:24 +02:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Jonhnathan 11dca27974 [New Rule] Potential Widespread Malware Infection (#3656) 
* [New Rule] Potential Widespread Malware Infection

* Update potential_widespread_malware_infection.toml

* .

* Update execution_potential_widespread_malware_infection.toml

* Update rules/cross-platform/execution_potential_widespread_malware_infection.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/execution_potential_widespread_malware_infection.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-05-10 13:51:04 -03:00
Terrance DeJesus d4bf04256d [Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477) 
* deprecating

* adjusted matury tag; updated dates
 2024-04-01 11:01:20 -04:00
Jonhnathan c610e19114 [Rule Tuning] Guided Onboarding Rule (#3502) 
* [Rule Tuning] Guided Onboarding Rule

* Update guided_onboarding_sample_rule.toml

* Revert "Update guided_onboarding_sample_rule.toml"

This reverts commit 18721277df7416534440a4708fa3b060f2775a27.

* Update guided_onboarding_sample_rule.toml

* Update guided_onboarding_sample_rule.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-14 10:59:31 -03:00
Jonhnathan f5254f3b5e [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) 
* Initial commit

* Date bump
 2024-03-13 10:27:44 -03:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
Jonhnathan edf4da8526 [Rule Tuning] DR Performance-Poor Rules (#3399) 
* [Rule Tuning] DR Performance

* .

* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update persistence_startup_folder_scripts.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-03-11 08:50:42 -03:00
Ruben Groenewoud a438052ff3 [Tuning] Linux Cross-Platform Tuning - Part 1 (#3468) 
* [Tuning] Linux Cross-Platform Tuning - Part 1

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 18:20:55 +01:00
Samirbous 4c74588c00 [Tuning] Suspicious File Downloaded from Google Drive (#3411) 
* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml
 2024-01-31 16:55:01 +00:00
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Ruben Groenewoud 788e2b2823 [Rule Tuning] Linux cross-platform DRs (#3346) 2024-01-08 10:44:03 +01:00
Terrance DeJesus 7e85854e7b deprecating 'Malicious Remote File Creation' (#3342) 2023-12-20 08:49:45 -05:00
shashank-elastic a568c56bc1 Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157) 2023-10-30 16:53:04 +05:30
Terrance DeJesus e7db39a492 [Rule Tuning] Review and Tune Potential Malicious File Downloaded from Google Drive (#3197) 
* added tuning to remove signed binaries and benign processes

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-27 14:12:55 -04:00
Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-23 16:28:58 +02:00
Terrance DeJesus 1e514afa57 [New Rule] Migrate Lateral Movement Detection Rules (#3175) 
* adding LMD rules

* added setup note; updated references

* adds 2.0.0 lmd manifest and schema

* adjusted min-stack for non-ML rules
 2023-10-12 15:02:19 -04:00
Jonhnathan 4034436f06 [Security Content] Add missing osquery transforms (#3088) 
* [Security Content] Add missing osquery transforms

* Revertable unit test

* .

* Revert "Revertable unit test"

This reverts commit 8c909fc2712b16e062890a63f31a6c080b81244a.

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-09-13 08:07:01 -03:00
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Eric 17d0e5cda8 [Rule Tuning] Threat Intel Hash Indicator Match (#3031) 
* Remove impash matches due to rate of false positives

* Update rules/cross-platform/threat_intel_indicator_match_hash.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-25 06:21:16 -03:00
Jonhnathan 9387a081bc [Security Content] Add Investigation Guides to Threat Intel rules (#2827) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* [Security Content] Add Investigation Guides to Threat Intel rules

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

* Apply suggestions from review, adds Setup guide

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2023-07-27 11:30:14 -03:00
Jonhnathan 0ff50acfd2 [Rule Tuning] Tune Threat Indicator Match Rules (#2957) 
* [Rule Tuning] Tune Threat Indicator Match Rules

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-26 15:12:28 -03:00
Jonhnathan d1491c3ce1 [Rule Tuning] Threat Intel URL Indicator Match (#2902) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-18 20:21:15 -03:00
Jonhnathan f1ba092864 [Deprecation] Threat Intel Indicator Match - General Rules (#2901) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-18 20:12:53 -03:00
shashank-elastic 3ed8c56942 DR Linux Rule Tuning 8.9 (#2859) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-10 20:02:42 +05:30
Jonhnathan 90c79a8283 [Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-28 10:22:24 -03:00
eric-forte-elastic aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) 
* Fixed kql -> kuery in test_all_rule_queries_opt...

* all queries optimized

* manually reconciled all rules that failed due to toml escaped chars

* merge rules from main

* Rules needing optimization

* Fix optimized note

* fix another note

* another note fix

* fixing whitespace

* Updated for readability

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-23 10:58:31 -04:00
Terrance DeJesus d829b145ef [Bug] Fix Tag Navigator Generation (#2875) 
* bug fix for tag navigator generation

* addressing flake errors

* added unit test to ensure prefix exists

* updated unit test case sensitivity

* moved expected tags to definitions.py

* removed expected prefixes

* revert downloadable updates JSON file
 2023-06-23 10:44:55 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Terrance DeJesus 7d758fdacd [New Rule] Potential Malicious File Downloaded from Google Drive (#2862) 
* new rule for malicious files downloaded from Google Drive

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

* removed unecessary tags

* removed extra space

* updated false positives

* fix unit testing failure

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* removed note field

* added cmd.exe

* updated updated_dated

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* removed LoLBins to capture unknown binaries involved

* removed code signature requirements

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-06-22 14:10:14 -04:00
Ruben Groenewoud 6524acf98a [rule tuning] modified std auth module or config (#2737) 2023-05-03 09:32:33 +02:00
shashank-elastic f8e97da549 Rule Tuning Update MITRE Details (#2526) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-02-10 23:05:28 +05:30
Samirbous e737b4eb7c [Tuning] added T1021.006 and T1563.001 (#2497) 
* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update credential_access_potential_linux_ssh_bruteforce_root.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml
 2023-01-27 19:51:22 +00:00
Terrance DeJesus 3b2d1af051 new guided onboarding rule (#2492) 2023-01-24 11:26:28 -05:00
Jonhnathan 0e535e5931 [Rule Tuning] Remove unreleased timeline from alert correlation rules (#2462) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-01-12 12:10:59 -03:00
Jonhnathan 9981cca275 [Security Content] Investigation Guides Line breaks refactor (#2454) 
* [Security Content] Investigation Guides Line breaks refactor (#2412)

* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key

* Remove changes to deprecated rules

* Update command_and_control_certutil_network_connection.toml
 2023-01-09 13:28:10 -03:00
Terrance DeJesus b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) 
This reverts commit d1481e1a88.
 2023-01-09 10:44:54 -05:00
Jonhnathan d1481e1a88 [Security Content] Investigation Guides Line breaks refactor (#2412) 
* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key
 2023-01-09 11:56:39 -03:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Jonhnathan 0acbe1d832 [New Rule] Multiple Alerts Involving a User (#2401) 
* [New Rule] Multiple Alerts Involving a User

* Update definitions.py

* update query

* Update multiple_alerts_involving_user.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-01-03 12:25:40 -03:00
Terrance DeJesus baa6b77040 [Rule Tuning] Change Guided Onboarding Rule to Experimental (#2439) 
* initial commit with rule changes

* removed rule from version lock file to pass unit testing; adjusted rule file name

* adjusted maturity to development
 2022-12-21 13:36:24 -05:00
Jonhnathan 9f6a54e645 [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2423) 
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update non-ecs-schema.json

* Remove duplicated value on non-ecs-schema.json

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-12-16 16:05:18 -03:00
Terrance DeJesus ae4e59ec7d [FR] Update ATT&CK Package to v12.1 (#2422) 
* initial update to v12.1 attack package

* added additional click echo output

* addressed flake errors

* updated rules with refreshed att&ck data

* Update detection_rules/devtools.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-12-16 12:04:20 -05:00
Isai c6f5d47cdf Update guided_onborading_sample_rule.toml (#2408) 
changed name to "My First Rule"

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2022-11-28 08:47:37 -08:00