sigma-rules

Author	SHA1	Message	Date
Ruben Groenewoud	aaf99b1873	[Rule Tuning] `agent.id` --> `host.id` `new_terms` Key Modification (#5802 ) * [Rule Tuning] `agent.id` --> `host.id` Migration * Updated_date bump	2026-03-02 13:24:25 +01:00
Ruben Groenewoud	b13afcdeaa	[Rule Tuning] Linux DR Tuning - 8 (#5505 ) * [Rule Tuning] Linux DR Tuning - 8 * Revise investigation guide for THC tool downloads Updated investigation guide to reflect THC tool instead of SSH-IT worm. Enhanced description for clarity. * Update exfiltration_unusual_file_transfer_utility_launched.toml * Refine ESQL query for brute force malware detection Updated the query to include additional fields and modified the conditions for filtering events. --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2026-01-08 10:01:11 +01:00
Ruben Groenewoud	37e18af7a5	[Rule Tuning] Adds Crowdstrike Compatibility to Linux Process Rules (#5232 ) * First batch * Second batch * Batch 2	2025-11-10 16:03:39 +01:00
shashank-elastic	63e91c2f12	Back-porting Version Trimming (#3704 )	2024-05-23 00:45:10 +05:30
Mika Ayenson	2c3dbfc039	Revert "Back-porting Version Trimming (#3681 )" This reverts commit `71d2c59b5c`.	2024-05-22 13:51:46 -05:00
shashank-elastic	71d2c59b5c	Back-porting Version Trimming (#3681 )	2024-05-23 00:11:50 +05:30
Jonhnathan	458e67918a	[Security Content] Small tweaks on the setup guides (#3308 ) * [Security Content] Small tweaks on the setup guides * Additional Fixes * Avoid touching deprecated rules	2024-03-11 09:09:40 -03:00
Ruben Groenewoud	08f946b394	[Tuning] Linux DR Tuning - Part 8 (#3460 ) * [Tuning] Linux DR Tuning - Part 8 * Update impact_esxi_process_kill.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2024-03-07 11:01:08 +01:00
Terrance DeJesus	1c10c37468	[Rule Tuning] Update `timestamp_override` Unit Tests and Fix Rules Missing Field (#3368 ) * updated timestamp override unit test; fixed rules missing this field * fixed flake error * simplified and consolidated logic * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * added comments * updated logic; added comments; removed unused variables * removed custom python script * updated dates * removed deprecated rule change * updated dates --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2024-01-17 14:14:38 -05:00
shashank-elastic	d52546eee5	Enhance Setup Guide information (#3256 )	2023-11-03 19:05:29 +05:30
shashank-elastic	7254c582c5	Move Setup information into setup filed (#3206 )	2023-10-23 19:28:18 +05:30
shashank-elastic	5a98208b53	Setup information for Linux Rules - Set6 (#3189 )	2023-10-17 19:33:07 +05:30
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
shashank-elastic	3ed8c56942	DR Linux Rule Tuning 8.9 (#2859 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-07-10 20:02:42 +05:30
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Justin Ibarra	59da2da474	[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) * add unit tests to ensure host type and platform are included * add host.os.name 'linux' to all linux rules * add host.os.name macos to mac rules * add host.os.name to windows rules; fix linux dates * update from host.os.name to host.os.type Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-03-05 11:41:19 -07:00
Jonhnathan	77c8665f11	[Rule Tuning] Add endgame support for Linux Rules (#2436 ) * [Rule Tuning] Add endgame support for Linux Rules * [Rule Tuning] Add endgame support for Linux Rules * . * Update persistence_insmod_kernel_module_load.toml	2023-01-23 20:53:15 -03:00
Jonhnathan	9981cca275	[Security Content] Investigation Guides Line breaks refactor (#2454 ) * [Security Content] Investigation Guides Line breaks refactor (#2412) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key * Remove changes to deprecated rules * Update command_and_control_certutil_network_connection.toml	2023-01-09 13:28:10 -03:00
Terrance DeJesus	b1a689b6fd	Revert "[Security Content] Investigation Guides Line breaks refactor (#2412 )" (#2453 ) This reverts commit `d1481e1a88`.	2023-01-09 10:44:54 -05:00
Jonhnathan	d1481e1a88	[Security Content] Investigation Guides Line breaks refactor (#2412 ) * [Security Content] Investigation Guides Line break refactor * undo updated_date bump on deprecated rules * Remove duplicated key	2023-01-09 11:56:39 -03:00
Terrance DeJesus	4312d8c958	[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) * initial commit * addressing flake errors * added apm to _get_packagted_integrations logic * addressed flake errors * adjusted integration schema and updated rules to be a list * updated several rules and removed a unit test * updated rules with logs-* only index patterns * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * addressed flake errors * integration is none is windows, endpoint or apm * adding rules with accepted incoming changes from main * fixed tag and tactic alignment errors from unit testing * adjusted unit testing logic for integration tags; added more exclusion rules * adjusted test_integration logic to be rule resistent and skip if -8.3 * adjusted comments for unit test skip * fixed merge conflicts from main * changing test_integration_tag to remove logic for rule version comparisons * added integration tag to new rule * adjusted rules updated_date value * ignore guided onboarding rule in unit tests * added integration tag to new rule Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-01-04 09:30:07 -05:00
Jonhnathan	ac01718bb6	[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352 ) * [Rule Tuning] Add tags to flag Sysmon-only rules * Modify tags * Revert "Modify tags" This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434. * Modify tags * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py * Update test_all_rules.py	2022-11-18 12:32:27 -03:00
Jonhnathan	ec04a39413	[Security Content] Tag rules with robust Investigation Guides (#2297 )	2022-09-23 14:20:32 -03:00
Justin Ibarra	46d5e37b76	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>	2022-08-24 10:38:49 -06:00
shashank-elastic	b2b5c170dd	Rule(s) to identify potential mining activities (#2185 )	2022-07-29 23:00:18 +05:30

25 Commits