security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,007 Commits 1 Branch 0 Tags
c31d5ffd3296014418ebbf460fbb8cf4d8e18e73
Commit Graph

5 Commits

Author SHA1 Message Date
Justin Ibarra 3311168e28 Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit 6bdfddac8e)
 2022-04-01 23:29:22 +00:00
Justin Ibarra d31ea6253e Refresh ATT&CK mappings to v9.0 (#1401) 
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
 2021-08-04 14:16:10 -08:00
Brent Murphy 12577f7380 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:22:59 -04:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Andrew Pease 8c4df09542 [New Rule] Installer Spawning cURL from macOS Package (#960) 
* initial commit

* extra lint extra test

* Update rules/macos/execution_curl_spawned_from_installer_package.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/execution_curl_spawned_from_installer_package.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_curl_spawned_from_installer_package.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_curl_spawned_from_installer_package.toml

Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>

* moved to EQL

* Update rules/macos/execution_installer_spawned_network_event.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
 2021-02-26 09:46:01 -06:00