security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,016 Commits 1 Branch 0 Tags
e22f60f44cf1a87d23ba46292e15ff58c8e95545
Commit Graph

2148 Commits

Author SHA1 Message Date
Isai e22f60f44c [Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063) 
- query change : I chose to replace `aws.cloudtrail.user_identity.arn` with `user.id` and a more accurate wildcard pattern. This will reduce the chances of this rule triggering for role sessions outside of those started by EC2 instances. The wildcard pattern looks for a role session name that starts with `i-` this is because when an EC2 instance operates using it's attached Role (instance profile), the session name attached to that role name is the instance id (`i-......`). The `user.id` field appends this session name to the role name via a standard pattern `:[session_name]`, making it a more reliable field to use in this case.
- small edits to description and IG
- reduced execution window
- reduced history window
- edited highlighted fields
Note: the new_terms field here remains `aws.cloudtrail.user_identity.arn` because we are only interested in assumed roles, and even more particular, only those used by an EC2 instance. This means we want to evaluate each individual instance's behavior rather than the broader behavior of the role itself. The arn field will capture each instance id (session name) alongside the role itself.
 2025-09-11 15:11:40 -04:00
shashank-elastic 25539fd6c6 Delete Development Rules (#5084) 2025-09-10 23:24:28 +05:30
shashank-elastic 822f649715 Fix updated_date for tunings as part of #5079 (#5081) 2025-09-10 22:05:36 +05:30
shashank-elastic c6406e97c2 Tune Rules that have unsupported versions in min_stack_version (#5079) 2025-09-10 19:43:28 +05:30
Mika Ayenson, PhD 392e0253c3 [Rule Tuning] Beats & Endgame Indices (#5072) 2025-09-09 13:19:13 -05:00
Ruben Groenewoud 0f0f16bdee [Rule Tuning] D-Bus Service Created (#5076) 2025-09-09 15:33:58 +02:00
Jonhnathan 375082729a [Rule Tuning] Adjust process.code_signature.trusted condition (#5067) 
* [Rule Tuning] Adjust process.code_signature.trusted condition

* typo
 2025-09-08 08:42:17 -07:00
Jonhnathan 6ac71050dc [Rule Tuning] Remote File Download via PowerShell (#5062) 
* [Rule Tuning] Remote File Download via PowerShell

* Update command_and_control_remote_file_copy_powershell.toml

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update command_and_control_remote_file_copy_powershell.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-09-08 07:59:53 -07:00
Jonhnathan 4aa6c4e715 [Rule Tuning] Untrusted Driver Loaded (#5061) 
* [Rule Tuning] Untrusted Driver Loaded

* Update defense_evasion_untrusted_driver_loaded.toml
 2025-09-05 06:12:30 -07:00
Jonhnathan 9ee15a13b0 [Rule Tuning] Connection to Commonly Abused Web Services (#5060) 
* [Rule Tuning] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml
 2025-09-04 11:58:13 -07:00
shashank-elastic b4db783413 Tune a Tag discrepency in rule (#5053) 2025-09-02 21:12:06 +05:30
Samirbous 0bbad3bbf8 Update defense_evasion_modify_ownership_os_files.toml (#5051) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-02 08:18:35 -07:00
Ruben Groenewoud ef7ff52119 [Rule Tuning] Misc. Linux ES|QL Rules (#5050) 
* [Rule Tuning] Misc. Linux ES|QL Rules

* update date bump

* ++

* Update persistence_web_server_sus_child_spawned.toml

* Update working directory conditions in TOML file
 2025-09-02 13:49:22 +02:00
Jonhnathan 8d2ea9220b [New Rules] Potential Relay Attack against a Computer Account (#4826) 
* [New Rules] Potential Relay Attack against a Computer Account Rules

* update description

* .

* add min_stack

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-09-01 10:07:37 -07:00
Samirbous 464fb3951e [Tuning] Unusual Network Activity from a Windows System Binary (#5048) 2025-09-01 22:17:53 +05:30
Jonhnathan a31b3a36ad [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

* pending adjustments

* Update execution_windows_cmd_shell_susp_args.toml
 2025-09-01 09:30:21 -07:00
Samirbous a62ee7a8a2 [New] Active Directory Discovery using AdExplorer (#5047) 
* [New] Active Directory Discovery using AdExplorer

* Update discovery_ad_explorer_execution.toml

* Update rules/windows/discovery_ad_explorer_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_ad_explorer_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-09-01 16:58:22 +01:00
Samirbous 40794368a7 [New] Connection to Common Large Language Model Endpoints (#5044) 
* [New] Connection to Common Large Language Model Endpoints

* [New] Connection to Common Large Language Model Endpoints

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_common_llm_endpoint.toml

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_common_llm_endpoint.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-09-01 16:47:31 +01:00
Jonhnathan ba354ceff9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038) 2025-09-01 08:25:52 -07:00
shashank-elastic 93ac471574 Monthly Schema Updates (#5046) 2025-09-01 20:42:42 +05:30
Samirbous 61af3e801d [New] Potential System Tampering via File Modification (#5043) 
* [New] Potential System Tampering via File Modification

* Update impact_mod_critical_os_files.toml

* Update rules/windows/impact_mod_critical_os_files.toml

* Create defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

* Update defense_evasion_modify_ownership_os_files.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-01 15:52:26 +01:00
Samirbous e1205cb5c5 [New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001) 
* [New/Tuning] Windows Top Threats 2024/2025

1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.

2) MSIEXEC:

* Update defense_evasion_mshta_susp_child.toml

* Update defense_evasion_script_via_html_app.toml

* Update defense_evasion_mshta_susp_child.toml

* Create defense_evasion_msiexec_remote_payload.toml

* Update defense_evasion_msiexec_remote_payload.toml

* ++

* Create execution_scripting_remote_webdav.toml

* Create execution_windows_fakecaptcha_cmd_ps.toml

* Create command_and_control_rmm_netsupport_susp_path.toml

* Update command_and_control_rmm_netsupport_susp_path.toml

* ++

* Update execution_jscript_fake_updates.toml

* Create command_and_control_dns_susp_tld.toml

* ++

* Create command_and_control_remcos_rat_iocs.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Update execution_scripts_archive_file.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* ++

* Create execution_nodejs_susp_patterns.toml

* Update execution_nodejs_susp_patterns.toml

* Update execution_windows_fakecaptcha_cmd_ps.toml

* Fix unit test errors

* Update defense_evasion_network_connection_from_windows_binary.toml

* Add system index

* Add tag

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Remove duplicate

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Create credential_access_browsers_unusual_parent.toml

* Update credential_access_browsers_unusual_parent.toml

* ++

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_remcos_rat_iocs.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_mshta_susp_child.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_windows_phish_clickfix.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update execution_windows_phish_clickfix.toml

* Update rules/windows/defense_evasion_script_via_html_app.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_browsers_unusual_parent.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_host_public_ip_address_lookup.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_nodejs_susp_patterns.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update discovery_host_public_ip_address_lookup.toml

* Update rules/windows/command_and_control_dns_susp_tld.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_script_via_html_app.toml

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-09-01 15:41:51 +01:00
Jonhnathan b2bc6021f2 [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037) 
* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths

* ++

* Update defense_evasion_workfolders_control_execution.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml
 2025-09-01 05:31:12 -07:00
Jonhnathan dd918b1f80 [Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5039) 2025-09-01 05:09:31 -07:00
Terrance DeJesus d9151c30ae [Rule Tuning] M365 Portal Logins (Impossible & Atypical) (#5031) 
* [Rule Tuning] M365 Portal Logins (Impossible & Atypical)
Fixes #5009

* updated new terms value

* fixed unit test failures

* Update rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* adjusted rule name and file names

* fixed field mispelling

* fixed investigation guide

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-29 15:41:38 -04:00
Terrance DeJesus 4aebb7dfc5 [Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access (#4997) 
* tuning rule 'Microsoft Entra ID Suspicious Session Reuse to Graph Access'

* Update rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-08-29 14:57:25 -04:00
Terrance DeJesus 7e9ef00b79 [New Rule] Threat Intelligence Signal - Microsoft Defender for Office 365 (#4994) 
* adding new rule 'Threat Intelligence Signal - Microsoft Defender for Office 365'

* added mitre mapping

* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added note for max signals

* linted

* fixed unit test failure

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-08-29 14:41:34 -04:00
Terrance DeJesus 4b9e3887bb [Rule Tuning] Multi-Factor Authentication Disabled for User (#5006) 
* tuning rule 'Multi-Factor Authentication Disabled for User'

* adjusted query logic

* fixed query logic for optimization that passes unit tests; changed severity and risk back to medium
 2025-08-29 13:20:12 -04:00
Isai 590cc9cbbd [Tuning] First Occurrence of STS GetFederationToken Request by User (#5007) 
Rule is executing as expected, however it is alerting on failed requests. Low alert telemetry.

This tuning:
- removed markdown and edited description to be more specific
- reduced execution window for 1 min lookback
- name change to add `AWS` consistent with all other rules
- added references that reflect in the wild threats and persistence usage
- increased risk_score and severity to medium accounting for usage as persistence mechanism in the wild
- added Persistence tag and Mitre tactic, technique, subtechnique
- added `event.outcome: success` criteria to query
- edited investigation guide to be more accurate reflection of steps required for investigating alert, including appropriate response action
- added highlighted fields
** Note: only IAMUser and Root user identities can call this actions so we can use `aws.cloudtrail.user_identity.arn` as the new terms field without worrying about Role vs Role + Session issue seen with other new_terms rules
 2025-08-29 13:08:59 -04:00
Isai 4cde57de07 [Tuning] First Time AWS Cloudformation Stack Creation by User (#5036) 
* [Tuning] First Time AWS Cloudformation Stack Creation by User

- corrected a creation_date error
- Removed `CreateStackSet` API call as this only creates a blueprint for creating stack instances across multiple AWS accounts and regions but does not actually create the resources
- Added `CreateStackInstances` API call which is used to create resources defined in the StackSet
- removed user from rule name as this also triggers for roles
- edited description and investigation guide
- added Mitre technique

* adding highlighted fields
 2025-08-29 12:36:21 -04:00
Jonhnathan 79daf3fc68 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 13:28:14 -07:00
Jonhnathan ccedd45df1 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* ++

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 13:07:38 -07:00
Jonhnathan 86dd350579 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:50:59 -07:00
Jonhnathan 7eec833ec8 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12

* Update rules/windows/persistence_app_compat_shim.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:40:03 -07:00
Jonhnathan 41dd521546 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:28:49 -07:00
Jonhnathan 9c08869575 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024) 2025-08-28 12:15:25 -07:00
Jonhnathan be18b4db16 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_wdac_policy_by_unusual_process.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 12:04:55 -07:00
Jonhnathan 48dfb759cd [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022) 2025-08-28 11:51:45 -07:00
Jonhnathan 1af98a6170 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update defense_evasion_proxy_execution_via_msdt.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 11:37:15 -07:00
Jonhnathan b91e73714e [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5

* Update defense_evasion_ms_office_suspicious_regmod.toml
 2025-08-28 11:26:09 -07:00
Jonhnathan 85a0d27b13 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 (#5019) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 11:05:42 -07:00
Jonhnathan 0fbf57c1d9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_file_creation_mult_extension.toml

* Update rules/windows/defense_evasion_file_creation_mult_extension.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 10:55:21 -07:00
Jonhnathan 8ab98458fa [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2

* Update defense_evasion_code_signing_policy_modification_registry.toml

* Update defense_evasion_communication_apps_suspicious_child_process.toml

* Update rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml

* Update defense_evasion_communication_apps_suspicious_child_process.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 10:40:34 -07:00
Jonhnathan 00c6e785cb [Rule Tuning] Windows - Small Adjusts for Compatibility (#5032) 2025-08-28 10:20:13 -07:00
Jonhnathan 9c2ceb2bd7 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016) 
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update command_and_control_outlook_home_page.toml

* Update command_and_control_outlook_home_page.toml

* Update defense_evasion_amsi_bypass_dllhijack.toml

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-08-28 06:43:09 -07:00
Samirbous fbfc696a86 Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008) 2025-08-26 13:03:59 +01:00
Isai bfb29ecf37 [Rule Tuning] First Time Seen AWS Secret Value Accessed in Secrets Manager (#4992) 
This rule is evaluating the "new terms" against every individual role session, rather than against the Role itself. This is causing a massive volume of alerts
- updated rule description and investigation guide
- reduced execution window and interval
- replaced new terms from `user.id` to combination of `cloud.account.id` and `user.name` to account for evaluation against Roles and in the event that separate AWS accounts under the same Org reuse IAM user names. This will only evaluate the Role instead of each individual role session, which should greatly improve performance.
 2025-08-25 12:00:47 -04:00
Isai df179f0ab1 [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4995) 
* [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time

Rule is executing as expected with no troubling alerts in telemetry. For tuning I've:

- reduced the execution window
- removed MD from description and FP as it's not supported in Kibana UI
- edited some of the language of IG to speak about the exclusion of AssumedRoles
- edited the highlighted fields for consistency across AWS rules

* updated broken link

updated broken reference link
 2025-08-25 11:44:58 -04:00
Ruben Groenewoud a4a5b171c4 [New Rule] Multi-Base64 Decoding Attempt from Suspicious Location (#4931) 
* [New Rule] Multi-Base64 Decoding Attempt from Suspicious Location

* ++

* Update rules/linux/defense_evasion_multi_base64_decoding_attempt.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/linux/defense_evasion_multi_base64_decoding_attempt.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-08-25 10:31:25 +02:00
Isai c151d69d36 [Rule Tuning] AWS STS AssumeRole with New MFA Device (#4999) 
* [Rule Tuning] AWS STS AssumeRole with New MFA Device

This rule is triggering as expected and low volume of alerts in telemetry. This tuning:
- slight edits to IG
- removed user.id wildcard usage in query as this field always exists for these events
- added the from and interval fields for consistency across rules (they are currently using the same values by default so no real change here)

* adding investigation fields

adding investigation fields
 2025-08-22 14:48:39 -04:00