security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,946 Commits 1 Branch 0 Tags
d4bf04256d96aa26ef5cf45bb6be201176aba1f2
Commit Graph

121 Commits

Author SHA1 Message Date
Terrance DeJesus d4bf04256d [Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477) 
* deprecating

* adjusted matury tag; updated dates
 2024-04-01 11:01:20 -04:00
Jonhnathan c610e19114 [Rule Tuning] Guided Onboarding Rule (#3502) 
* [Rule Tuning] Guided Onboarding Rule

* Update guided_onboarding_sample_rule.toml

* Revert "Update guided_onboarding_sample_rule.toml"

This reverts commit 18721277df7416534440a4708fa3b060f2775a27.

* Update guided_onboarding_sample_rule.toml

* Update guided_onboarding_sample_rule.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-03-14 10:59:31 -03:00
Jonhnathan f5254f3b5e [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) 
* Initial commit

* Date bump
 2024-03-13 10:27:44 -03:00
Jonhnathan 458e67918a [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules
 2024-03-11 09:09:40 -03:00
Jonhnathan edf4da8526 [Rule Tuning] DR Performance-Poor Rules (#3399) 
* [Rule Tuning] DR Performance

* .

* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update persistence_startup_folder_scripts.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-03-11 08:50:42 -03:00
Ruben Groenewoud a438052ff3 [Tuning] Linux Cross-Platform Tuning - Part 1 (#3468) 
* [Tuning] Linux Cross-Platform Tuning - Part 1

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update defense_evasion_deletion_of_bash_command_line_history.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-03-07 18:20:55 +01:00
Samirbous 4c74588c00 [Tuning] Suspicious File Downloaded from Google Drive (#3411) 
* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml
 2024-01-31 16:55:01 +00:00
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Ruben Groenewoud 788e2b2823 [Rule Tuning] Linux cross-platform DRs (#3346) 2024-01-08 10:44:03 +01:00
Terrance DeJesus 7e85854e7b deprecating 'Malicious Remote File Creation' (#3342) 2023-12-20 08:49:45 -05:00
shashank-elastic a568c56bc1 Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157) 2023-10-30 16:53:04 +05:30
Terrance DeJesus e7db39a492 [Rule Tuning] Review and Tune Potential Malicious File Downloaded from Google Drive (#3197) 
* added tuning to remove signed binaries and benign processes

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-27 14:12:55 -04:00
Ruben Groenewoud 020fff3aea [Rule Tuning] Linux Rules (#3092) 
* [Rule Tuning] [WIP] Linux DR

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Fixed tag

* Added additional tuning

* unit test fix

* Additional tuning

* tuning

* added max signals

* Added max_signals=1 to brute force rules

* Cross-Platform Tuning

* Small fix

* new_terms conversion

* typo

* new_terms conversion

* Ransomware rule tuning

* performance tuning

* new_terms conversion for auditd_manager

* tune

* Need coffee

* kql/eql stuff

* formatting improvement

* new_terms sudo hijacking conversion

* exclusion

* Deprecations that were added last tuning

* Deprecations that were added last tuning

* Increased max timespan for brute force rules

* version bump

* added domain tag

* Two tunings

* More tuning

* Additional tuning

* updated_date bump

* query optimization

* Tuning

* Readded the exclusions for this one

* Changed int comparison

* Some tunings

* Update persistence_systemd_scheduled_timer_created.toml

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* [New Rule] Potential curl CVE-2023-38545 Exploitation

* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"

This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.

* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml

* Update rules/linux/command_and_control_cat_network_activity.toml

* Update persistence_message_of_the_day_execution.toml

* Changed max_signals

* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"

This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.

* Revertable merge

* Update defense_evasion_ld_preload_env_variable_process_injection.toml

* File name change

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-23 16:28:58 +02:00
Terrance DeJesus 1e514afa57 [New Rule] Migrate Lateral Movement Detection Rules (#3175) 
* adding LMD rules

* added setup note; updated references

* adds 2.0.0 lmd manifest and schema

* adjusted min-stack for non-ML rules
 2023-10-12 15:02:19 -04:00
Jonhnathan 4034436f06 [Security Content] Add missing osquery transforms (#3088) 
* [Security Content] Add missing osquery transforms

* Revertable unit test

* .

* Revert "Revertable unit test"

This reverts commit 8c909fc2712b16e062890a63f31a6c080b81244a.

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-09-13 08:07:01 -03:00
Jonhnathan 4233fef238 [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-09-05 14:22:01 -04:00
Eric 17d0e5cda8 [Rule Tuning] Threat Intel Hash Indicator Match (#3031) 
* Remove impash matches due to rate of false positives

* Update rules/cross-platform/threat_intel_indicator_match_hash.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-25 06:21:16 -03:00
Jonhnathan 9387a081bc [Security Content] Add Investigation Guides to Threat Intel rules (#2827) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* [Security Content] Add Investigation Guides to Threat Intel rules

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

* Apply suggestions from review, adds Setup guide

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2023-07-27 11:30:14 -03:00
Jonhnathan 0ff50acfd2 [Rule Tuning] Tune Threat Indicator Match Rules (#2957) 
* [Rule Tuning] Tune Threat Indicator Match Rules

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-26 15:12:28 -03:00
Jonhnathan d1491c3ce1 [Rule Tuning] Threat Intel URL Indicator Match (#2902) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-18 20:21:15 -03:00
Jonhnathan f1ba092864 [Deprecation] Threat Intel Indicator Match - General Rules (#2901) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-18 20:12:53 -03:00
shashank-elastic 3ed8c56942 DR Linux Rule Tuning 8.9 (#2859) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-10 20:02:42 +05:30
Jonhnathan 90c79a8283 [Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-28 10:22:24 -03:00
eric-forte-elastic aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) 
* Fixed kql -> kuery in test_all_rule_queries_opt...

* all queries optimized

* manually reconciled all rules that failed due to toml escaped chars

* merge rules from main

* Rules needing optimization

* Fix optimized note

* fix another note

* another note fix

* fixing whitespace

* Updated for readability

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-23 10:58:31 -04:00
Terrance DeJesus d829b145ef [Bug] Fix Tag Navigator Generation (#2875) 
* bug fix for tag navigator generation

* addressing flake errors

* added unit test to ensure prefix exists

* updated unit test case sensitivity

* moved expected tags to definitions.py

* removed expected prefixes

* revert downloadable updates JSON file
 2023-06-23 10:44:55 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Terrance DeJesus 7d758fdacd [New Rule] Potential Malicious File Downloaded from Google Drive (#2862) 
* new rule for malicious files downloaded from Google Drive

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

* removed unecessary tags

* removed extra space

* updated false positives

* fix unit testing failure

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* removed note field

* added cmd.exe

* updated updated_dated

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* removed LoLBins to capture unknown binaries involved

* removed code signature requirements

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-06-22 14:10:14 -04:00
Ruben Groenewoud 6524acf98a [rule tuning] modified std auth module or config (#2737) 2023-05-03 09:32:33 +02:00
shashank-elastic f8e97da549 Rule Tuning Update MITRE Details (#2526) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-02-10 23:05:28 +05:30
Samirbous e737b4eb7c [Tuning] added T1021.006 and T1563.001 (#2497) 
* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_credential_access_modify_ssh_binaries.toml

* Update credential_access_potential_linux_ssh_bruteforce_root.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml

* Update persistence_ssh_authorized_keys_modification.toml
 2023-01-27 19:51:22 +00:00
Terrance DeJesus 3b2d1af051 new guided onboarding rule (#2492) 2023-01-24 11:26:28 -05:00
Jonhnathan 0e535e5931 [Rule Tuning] Remove unreleased timeline from alert correlation rules (#2462) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-01-12 12:10:59 -03:00
Jonhnathan 9981cca275 [Security Content] Investigation Guides Line breaks refactor (#2454) 
* [Security Content] Investigation Guides Line breaks refactor (#2412)

* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key

* Remove changes to deprecated rules

* Update command_and_control_certutil_network_connection.toml
 2023-01-09 13:28:10 -03:00
Terrance DeJesus b1a689b6fd Revert "[Security Content] Investigation Guides Line breaks refactor (#2412)" (#2453) 
This reverts commit d1481e1a88.
 2023-01-09 10:44:54 -05:00
Jonhnathan d1481e1a88 [Security Content] Investigation Guides Line breaks refactor (#2412) 
* [Security Content] Investigation Guides Line break refactor

* undo updated_date bump on deprecated rules

* Remove duplicated key
 2023-01-09 11:56:39 -03:00
Terrance DeJesus 4312d8c958 [FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429) 
* initial commit

* addressing flake errors

* added apm to _get_packagted_integrations logic

* addressed flake errors

* adjusted integration schema and updated rules to be a list

* updated several rules and removed a unit test

* updated rules with logs-* only index patterns

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* addressed flake errors

* integration is none is windows, endpoint or apm

* adding rules with accepted incoming changes from main

* fixed tag and tactic alignment errors from unit testing

* adjusted unit testing logic for integration tags; added more exclusion rules

* adjusted test_integration logic to be rule resistent and skip if -8.3

* adjusted comments for unit test skip

* fixed merge conflicts from main

* changing test_integration_tag to remove logic for rule version comparisons

* added integration tag to new rule

* adjusted rules updated_date value

* ignore guided onboarding rule in unit tests

* added integration tag to new rule

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-01-04 09:30:07 -05:00
Jonhnathan 0acbe1d832 [New Rule] Multiple Alerts Involving a User (#2401) 
* [New Rule] Multiple Alerts Involving a User

* Update definitions.py

* update query

* Update multiple_alerts_involving_user.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-01-03 12:25:40 -03:00
Terrance DeJesus baa6b77040 [Rule Tuning] Change Guided Onboarding Rule to Experimental (#2439) 
* initial commit with rule changes

* removed rule from version lock file to pass unit testing; adjusted rule file name

* adjusted maturity to development
 2022-12-21 13:36:24 -05:00
Jonhnathan 9f6a54e645 [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2423) 
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update non-ecs-schema.json

* Remove duplicated value on non-ecs-schema.json

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-12-16 16:05:18 -03:00
Terrance DeJesus ae4e59ec7d [FR] Update ATT&CK Package to v12.1 (#2422) 
* initial update to v12.1 attack package

* added additional click echo output

* addressed flake errors

* updated rules with refreshed att&ck data

* Update detection_rules/devtools.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2022-12-16 12:04:20 -05:00
Isai c6f5d47cdf Update guided_onborading_sample_rule.toml (#2408) 
changed name to "My First Rule"

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2022-11-28 08:47:37 -08:00
Jonhnathan a7caa4baf3 [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2399) 
* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-11-18 17:38:27 -03:00
Jonhnathan ac01718bb6 [Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352) 
* [Rule Tuning] Add tags to flag Sysmon-only rules

* Modify tags

* Revert "Modify tags"

This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.

* Modify tags

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py

* Update test_all_rules.py
 2022-11-18 12:32:27 -03:00
Isai 2289fd6496 [New Rule] Masquerading Space After Filename (#2368) 
* Create defense_evasion_masquerading_space_after_filename.toml

new rule toml

* Update defense_evasion_masquerading_space_after_filename.toml

toml-lint the file

* Moved to cross-platform folder

moved to cross-platform folder

* update query to specify OS

added filter for host OS to query ```host.os.type:("linux","macos")```

* Update rule query: regex and process.executable

update rule query to use regex instead of wildcards and alert on process.executable instead of process.args and process.name to reduce noise.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-11-15 09:54:46 -05:00
shashank-elastic 48839ad6fe Rule to Identify Non-Standard Port connection(s) (#2365) 2022-11-15 20:13:12 +05:30
Terrance DeJesus 4997f95300 [Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388) 
* added elastic security labs URL references

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Is not compatible with Windows blog.

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Is not compatible with Windows blog. Reverting updated date.

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Is not compatible with Windows blog. Reverting updated date.

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Is not compatible with Windows blog.

* Update rules/ml/execution_ml_windows_anomalous_script.toml

Is not compatible with Windows blog. Reverting updated date.

* Update rules/linux/credential_access_collection_sensitive_files.toml

Not compatible with Windows blog. Reverting updated date.

* Update rules/linux/credential_access_collection_sensitive_files.toml

Not compatible with Windows blog.

* added credential access URL for mimikatz rules

* updated version ml windows anomalous script rule

* removed change to macOS rule since no blog correlation
 2022-11-07 15:17:49 -05:00
Jonhnathan 642992b1df [Guided Onboarding] Sample Rule for SIEM onboarding (#2324) 
* [Guided Onboarding] Sample Alert Rule

* Update guided_onborading_sample_rule.toml

* Update guided_onborading_sample_rule.toml

* Update rules/cross-platform/guided_onborading_sample_rule.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-10-18 09:46:41 -03:00
Jonhnathan 9861958833 [Security Content] Add missing "has_guide" tag (#2349) 
* Add missing "has_guide" tag

* bump updated_date
 2022-10-11 06:30:19 -07:00
Jonhnathan f5c992b6de [Security Content] Add Investigation Guides - 2 - 8.5 (#2314) 
* [Security Content] Add Investigation Guides - 2 - 8.5

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

* Merge branch 'main' into investigation_guides_8.5_2

* Revert "Merge branch 'main' into investigation_guides_8.5_2"

This reverts commit fb3c3f0245301d49229534d8776478c32f6c190e.

* Apply suggested changes from review

* Update discovery_security_software_grep.toml

* Apply suggestions from review

* Apply suggestions from review
 2022-09-26 12:59:39 -03:00
Jonhnathan f02ffbbe13 [Security Content] Add Investigation Guides - 8.5 (#2305) 
* [Security Content] Add Investigation Guides - 8.5

* Update persistence_run_key_and_startup_broad.toml

* Apply suggestions from security-docs review review

* Update execution_suspicious_jar_child_process.toml

* Apply suggestions from review
 2022-09-23 18:44:24 -03:00