security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,390 Commits 1 Branch 0 Tags
c336e30deea1252b1ff8312f478b0ddc1cbde76e
Commit Graph

1694 Commits

Author SHA1 Message Date
shashank-elastic 275c7288a3 Add testcase to check for related_integrations based on index (#4096) 2024-10-22 00:17:30 +05:30
Terrance DeJesus d0225c37df [Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' (#4169) 
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'

* added missing bracket

* linted

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

* removed intelephense whitelisting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-18 11:50:57 -04:00
Ruben Groenewoud 42f6c8f9a5 [Rule Tuning] Q2 Linux DR Tuning - Part 4 (#4165) 2024-10-18 17:13:44 +02:00
Ruben Groenewoud b309bcb7ae [Rule Tuning] Q2 Linux DR Tuning - Part 5 (#4166) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 5

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_rpm_package_installation_from_unusual_parent.toml
 2024-10-18 17:02:26 +02:00
Ruben Groenewoud 601254488b [BBR Promotion] Q2 Linux BBR Promotion (#4172) 
* [BBR Promotion] Q2 Linux BBR Promotion

* Update collection_linux_clipboard_activity.toml

* Update defense_evasion_creation_of_hidden_files_directories.toml
 2024-10-18 16:55:09 +02:00
Ruben Groenewoud 09bd4cef16 [Rule Tuning] Q2 Linux DR Tuning - CP (#4170) 
* [Rule Tuning] Q2 Linux DR Tuning - CP

* Update command_and_control_non_standard_ssh_port.toml
 2024-10-18 16:38:14 +02:00
Ruben Groenewoud ac6a49eeea [Rule Tuning] Q2 Linux DR Tuning - Part 6 (#4167) 2024-10-18 16:25:54 +02:00
Ruben Groenewoud 39fc23cb3d [Rule Tuning] Q2 Linux DR Tuning - Part 3 (#4164) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 3

* Update execution_suspicious_executable_running_system_commands.toml
 2024-10-18 16:18:14 +02:00
Ruben Groenewoud 3982228132 [Rule Tuning] Q2 Linux DR Tuning - Part 2 (#4163) 2024-10-18 16:07:09 +02:00
Ruben Groenewoud af9f9e2456 [Rule Tuning] Q2 Linux DR Tuning - Part 1 (#4162) 
* [Rule Tuning] Q2 Linux DR Tuning - Part 1

* Update defense_evasion_binary_copied_to_suspicious_directory.toml
 2024-10-18 15:59:51 +02:00
Terrance DeJesus 61b731c300 [Rule Tuning] Remove Salesforce Client User-Agent Whitelisting in MFA Deactivation with no Re-Activation for Okta User Account (#4145) 
* tuning

* added note about whitelisting user agent

* removed extra new line
 2024-10-16 11:41:50 -04:00
Jonhnathan 2c07e88c07 [Rule Tuning] Fix double bumps caused by Windows Integration Update (#4156) 2024-10-15 23:57:44 +05:30
Samirbous 8f56b7de5e Update privilege_escalation_gpo_schtask_service_creation.toml (#4152) 2024-10-15 18:36:35 +05:30
Samirbous a98161ad2a [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#4144) 
* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-15 10:49:01 +01:00
Samirbous 8404d41cca [New] Untrusted DLL Loaded by Azure AD Sync Service (#4151) 
* Create credential_access_imageload_azureadconnectauthsvc.toml

* Update credential_access_imageload_azureadconnectauthsvc.toml

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_imageload_azureadconnectauthsvc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-10-14 18:04:46 +01:00
Jonhnathan e1addc6a8f [Rule Tuning] 3rd Party EDR Compatibility - 18 (#4056) 
* [Rule Tuning] 3rd Party EDR Compatibility - 18

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* Update persistence_browser_extension_install.toml

* min_stack for merge, bump updated_date

* Update persistence_browser_extension_install.toml
 2024-10-13 20:25:17 -03:00
Jonhnathan 6f69b33529 [Rule Tuning] 3rd Party EDR Compatibility - 17 (#4042) 
* [Rule Tuning] 3rd Party EDR Compatibility - 17

* Update rules/windows/privilege_escalation_unusual_parentchild_relationship.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-13 18:34:22 -03:00
Jonhnathan 7385f9dd2e [Rule Tuning] 3rd Party EDR Compatibility - 16 (#4041) 
* [Rule Tuning] 3rd Party EDR Compatibility - 16

* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml

* min_stack for merge, bump updated_date

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-10-13 18:14:24 -03:00
Jonhnathan 080a891c79 [Rule Tuning] 3rd Party EDR Compatibility - 15 (#4040) 
* [Rule Tuning] 3rd Party EDR Compatibility - 15

* min_stack for merge, bump updated_date
 2024-10-11 18:33:22 -03:00
Jonhnathan 10a8cef21f [Rule Tuning] 3rd Party EDR Compatibility - 14 (#4039) 
* [Rule Tuning] 3rd Party EDR Compatibility - 14

* min_stack for merge, bump updated_date
 2024-10-11 17:22:53 -03:00
Jonhnathan 07c4535871 [Rule Tuning] 3rd Party EDR Compatibility - 13 (#4038) 
* [Rule Tuning] 3rd Party EDR Compatibility - 13

* min_stack for merge, bump updated_date
 2024-10-11 16:55:02 -03:00
Jonhnathan 0cbbae4f83 [Rule Tuning] 3rd Party EDR Compatibility - 12 (#4037) 
* [Rule Tuning] 3rd Party EDR Compatibility - 12

* min_stack for merge, bump updated_date
 2024-10-11 16:37:20 -03:00
Jonhnathan 32d02ae7aa [Rule Tuning] 3rd Party EDR Compatibility - 11 (#4036) 
* [Rule Tuning] 3rd Party EDR Compatibility - 11

* min_stack for merge, bump updated_date
 2024-10-11 16:14:40 -03:00
Jonhnathan 7b655759ab [Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035) 
* [Rule Tuning] 3rd Party EDR Compatibility - 10

* min_stack for merge, bump updated_date
 2024-10-11 15:58:37 -03:00
Jonhnathan 8938f09668 [Rule Tuning] 3rd Party EDR Compatibility - 9 (#4034) 
* [Rule Tuning] 3rd Party EDR Compatibility - 9

* min_stack for merge, bump updated_date
 2024-10-11 15:41:36 -03:00
Jonhnathan 5b17dfa63a [Rule Tuning] 3rd Party EDR Compatibility - 8 (#4032) 
* [Rule Tuning] 3rd Party EDR Compatibility - 8

* min_stack for merge, bump updated_date
 2024-10-11 15:12:58 -03:00
Jonhnathan 6b71ad7ab9 [Rule Tuning] 3rd Party EDR Compatibility - 7 (#4031) 
* [Rule Tuning] 3rd Party EDR Compatibility - 7

* min_stack for merge, bump updated_date
 2024-10-11 15:01:45 -03:00
Jonhnathan fbe17eb1ee [Rule Tuning] 3rd Party EDR Compatibility - 6 (#4030) 
* [Rule Tuning] 3rd Party EDR Compatibility - 6

* min_stack for merge, bump updated_date
 2024-10-11 14:34:42 -03:00
Jonhnathan f91a6fa8d6 [Rule Tuning] 3rd Party EDR Compatibility - 5 (#4022) 
* [Rule Tuning] 3rd Party EDR Compatibility - 5

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 14:21:17 -03:00
Jonhnathan 1d9cb6a195 [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes (#4117) 
* [Rule Tuning] Active Directory Forced Authentication from Linux Host - SMB Named Pipes

* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml
 2024-10-11 13:46:57 -03:00
Jonhnathan f021229da4 [Rule Tuning] 3rd Party EDR Compatibility - 4 (#4021) 
* [Rule Tuning] 3rd Party EDR Compatibility - 4

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:33:32 -03:00
Jonhnathan 2afb4038db [Rule Tuning] 3rd Party EDR Compatibility - 3 (#4020) 
* [Rule Tuning] 3rd Party EDR Compatibility - 3

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 13:19:56 -03:00
Jonhnathan 4538bfcd9f [Rule Tuning] 3rd Party EDR Compatibility - 2 (#4019) 
* [Rule Tuning] 3rd Party EDR Compatibility - 2

* Update credential_access_iis_connectionstrings_dumping.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 12:55:31 -03:00
Jonhnathan 6be1f0bad6 [Rule Tuning] 3rd Party EDR Compatibility - 1 (#4017) 
* [Rule Tuning] 3rd Party EDR Compatibility - 1

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml
 2024-10-11 12:09:11 -03:00
Terrance DeJesus 06319b7a13 [Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146) 
* updating ES|QL rules to include KEEP command

* fixed some ES|QL rules with typos; added validation for KEEP command

* fixed ES|QL errors from missing fields

* fixed flake errors

* updated date

* added best practices to hunt docs
 2024-10-09 21:08:38 -04:00
Terrance DeJesus 281926052c [Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing (#4126) 
* fixed existing rules;added query checks

* fixed flake errors

* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules

* removed valueError and replaced ValidationError

* adjusted validation error output based on feedback

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added space for failure

* updated to use re.compile

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-09 15:25:36 -04:00
Terrance DeJesus 7674229f49 [New Rule] Successful Application SSO from Rare Unknown Client Device (#4141) 
* new rule 'Successful Application SSO from Rare Unknown Client Device'

* removing extra newlines

* adjusted tags; adjusted risk
 2024-10-07 12:11:57 -04:00
Terrance DeJesus 45a347580c [Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request (#4118) 
* fixing single equal operator

* Additional data source tag for consistency

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-02 15:50:22 -04:00
Samirbous a68a404bd8 Update defense_evasion_posh_assembly_load.toml (#4112) 2024-10-01 17:30:38 +05:30
Ruben Groenewoud 5b41bbd5e9 [Tuning] Updated references (#4114) 2024-10-01 08:43:14 -03:00
Terrance DeJesus ef4e433d97 [Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Microsoft 365 Rules (#4105) 
* tuning M365 impossible travel activity rules

* added additional filters for user type logins

* adjusted updated date
 2024-09-28 18:13:03 -04:00
Samirbous 1d1b2eb90f Update command_and_control_tunnel_vscode.toml (#4104) 2024-09-28 11:46:46 +01:00
shashank-elastic ef95a541f4 Fix GenAI Request Model ID Field (#4111) 2024-09-27 21:59:02 +05:30
Ruben Groenewoud a3e89a7fab [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) (#4106) 
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE)

* Description update

* Investigation Guide Update
 2024-09-27 14:48:03 +02:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
Isai 0ed6b3f0a2 [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4094) 
Tuning this rule to exclude identity type `AssumedRole` as this is too common a behavior, often automated, and used to verify current identity and role assumptions. Therefore it is not as indicative of suspicious behavior when used by assumed roles. This rule will still trigger for `IAM User` and `Federated User` identity types. In telemetry this change reduces alerts from ~240,000 to 43 in the last 30 days.
 2024-09-24 09:32:12 -04:00
Samirbous 5e0fb4a63e [Tuning] Add logs-panw.panos index to Network rules (#4089) 
* [Tuning] Add logs-panw.panos index to Network rules

https://github.com/elastic/detection-rules/issues/3998

This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.

* add tag and integration

* Update command_and_control_fin7_c2_behavior.toml

* Build Manifest and Schema for panw integration

* Update definitions.py

* Update definitions.py

* Fix definitions declaration

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2024-09-19 08:01:44 +01:00
Samirbous def2a9ef09 [New] ROT encoded Python Script Execution (#4084) 
* [New] ROT encoded Python Script Execution

* Update defense_evasion_encoding_rot13_python_script.toml

* ++

* Update defense_evasion_encoding_rot13_python_script.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-17 16:52:46 +01:00
shashank-elastic 814130bf34 min_stack New Rules that use the S1 Integration (#4081) 2024-09-16 20:12:09 +05:30
Jonhnathan 7c78e4081f [Rule Tuning] min_stack New Rules that use the S1 Integration (#4079) 
* [Rule Tuning] min_stack New Rules that use the S1 Integration

* Update execution_windows_powershell_susp_args.toml

* Update execution_initial_access_foxmail_exploit.toml
 2024-09-16 11:02:46 -03:00