sigma-rules

Author SHA1 Message Date

Author	SHA1	Message	Date
Apoorva Joshi	c5606e7f3f	Update Advanced Analytics config guides (#3302 ) * Updating config guides for Advanced Analytics rules * More updates * Update setup instructions for LMD * Adding more guides * update TestRuleTiming unit test to ignore advanced analytic rules * fixed flake error * Moving config guides under setup instead of note * Removing leading and trailing whitespace * Updates as requested by PM * Updating related integrations, minor updates to setup guides * fixing unit tests to ignore analytic packages with multiple integration tags * Update tests/test_all_rules.py * fixing linting errors --------- Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Removed changes from: - rules/integrations/beaconing/command_and_control_beaconing.toml - rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml (selectively cherry picked from commit `9a9f5437f2`)	2023-12-13 15:58:18 +00:00
Terrance DeJesus	4ed6c7d594	[New Rule] Add Living-off-the-Land (LotL) ProblemChild Rules (#3193 ) * adding new LotL rules * added endpoint tags; updated technique mapping * added missing data source tag * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * updated note, references and date * changed ATT&CK technique to binary proxy execution --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit `835be9b245`)	2023-10-23 16:29:59 +00:00

Apoorva Joshi

c5606e7f3f

Update Advanced Analytics config guides (#3302 )

* Updating config guides for Advanced Analytics rules

* More updates

* Update setup instructions for LMD

* Adding more guides

* update TestRuleTiming unit test to ignore advanced analytic rules

* fixed flake error

* Moving config guides under setup instead of note

* Removing leading and trailing whitespace

* Updates as requested by PM

* Updating related integrations, minor updates to setup guides

* fixing unit tests to ignore analytic packages with multiple integration tags

* Update tests/test_all_rules.py

* fixing linting errors

---------

Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

(selectively cherry picked from commit 9a9f5437f2)

2023-12-13 15:58:18 +00:00

Terrance DeJesus

4ed6c7d594

[New Rule] Add Living-off-the-Land (LotL) ProblemChild Rules (#3193 )

* adding new LotL rules

* added endpoint tags; updated technique mapping

* added missing data source tag

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* updated note, references and date

* changed ATT&CK technique to binary proxy execution

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 835be9b245)

2023-10-23 16:29:59 +00:00

2 Commits