sigma-rules

Author	SHA1	Message	Date
Jonhnathan	91c00fd442	[Security Content] Add Investigation Guides - Cloud - 3 (#2132 ) * [Security Content] Add Investigation Guides - Cloud - 3 * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml * update dates * Apply suggestions from review Co-authored-by: Joe Peeples <joe.peeples@elastic.co>	2022-07-27 15:40:09 -03:00
Terrance DeJesus	e8c39d19a7	[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) * initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-07-22 14:30:34 -04:00
Jonhnathan	7ddae4b493	[Security Content] Add Investigation Guides - Cloud - 2 (#2124 ) * [Security Content] Add Investigation Guides - Cloud - 2 * Replace config/setup * Applies suggestions from review * Update credential_access_aws_iam_assume_role_brute_force.toml * Apply suggestions from code review * Update credential_access_aws_iam_assume_role_brute_force.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>	2022-07-22 14:32:42 -03:00
Mika Ayenson	a52751494e	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 15:41:32 -04:00
Jonhnathan	8a9b52f7e1	Update impact_azure_service_principal_credentials_added.toml (#1802 )	2022-03-02 05:36:21 -03:00
Jonhnathan	1c50f35aed	[Security Content] Update rules based on docs review (#1803 ) * Adds suggestions from security-docs * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-03-01 21:39:30 -03:00
Jonhnathan	8664ef59f4	Update persistence_azure_conditional_access_policy_modified.toml (#1788 )	2022-02-22 15:26:28 -03:00
Jonhnathan	dec4243db0	[Rule Tuning] Update rules based on docs review (#1778 ) * Update rules based on docs review * trivial change to trigger CLA * undo changes from triggering build Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-02-16 07:42:06 -09:00
Justin Ibarra	72c64de3f5	[Rule tuning] Update rules based on docs review (#1663 ) * [Rule tuning] Update rule verbiage based on docs review * fix typos Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * revert TI rule changes since it was deprecated Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-01-28 10:41:22 -09:00
Jonhnathan	14252d45ee	[New Rule] Global Administrator Role Assigned (#1686 ) * Initial Global Administrator Role Assigned Rules * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-01-27 09:53:02 -03:00
Jonhnathan	fdeb8cb1de	[Rule Tuning] Azure Virtual Network Device Modified or Deleted (#1679 ) * Update impact_virtual_network_device_modified.toml * Change case	2022-01-27 09:15:22 -03:00
Austin Songer	96ada9e223	[New Rule] Azure Suppression Rule Created (#1666 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Moved to correct directory. * Suppression Rule Created * Update defense_evasion_suppression_rule_created.toml * Update defense_evasion_suppression_rule_created.toml * Update defense_evasion_suppression_rule_created.toml * Update defense_evasion_suppression_rule_created.toml * Update defense_evasion_suppression_rule_created.toml * Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-01-20 08:46:24 -03:00
Justin Ibarra	14c46f50b9	[Rule Tuning] updates from documentation review for 7.16 (#1645 )	2021-12-07 15:42:58 -09:00
Austin Songer	521f0987ae	[New Rule] Azure Kubernetes Rolebindings Created (#1576 ) * Create azure_kubernetes_rolebinding_created_or_deleted.toml * Update * Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml * Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml * Update privilege_escalation_azure_kubernetes_rolebinding_created.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-11-29 09:16:00 -03:00
Austin Songer	3dd32608a0	[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579 ) * Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml * Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-11-17 19:38:12 -03:00
Austin Songer	50501bb40f	[New Rule] Azure Full Network Packet Capture Detected (#1420 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Create exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 23:06:27 -03:00
Austin Songer	790586fb57	[New Rule] Azure Virtual Network Device Modified or Deleted (#1421 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update defense_evasion_virtual_network_device_modified.toml * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml * fix description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:11:05 -03:00
Austin Songer	761df5fe84	[New Rule] Azure Kubernetes Pods Deleted (#1309 ) * Create impact_kubernetes_pod_deleted.toml * Update impact_kubernetes_pod_deleted.toml * Update * Update impact_kubernetes_pod_deleted.toml * quote value in query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-15 16:07:39 -03:00
Austin Songer	7123d46623	[New Rule] Azure Blob Permissions Modification (#1499 ) * Create defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update description and query (spacing) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2021-10-14 06:59:24 -03:00
Austin Songer	3d15c2072d	[New Rule] Azure Kubernetes Events Deleted (#1307 ) * Create defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add quotes to azure query field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-10-14 06:57:33 -03:00
Austin Songer	d28c48f20f	[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393 )	2021-09-29 09:08:09 -08:00
Nic	8b2c8c2e03	[Rule tuning] Azure Active Directory High Risk Sign-in (#1463 ) * Add Aggregated Risk Level * There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on. * An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types	2021-08-30 14:33:44 -08:00
Ross Wolf	1882f4456c	[Fleet] Track integrations in folder and metadata (#1372 ) * Track integrations in folder and metadata * Remove duplicate entry * Update note and tests	2021-07-21 15:24:56 -06:00

23 Commits