security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
662 Commits 1 Branch 0 Tags
e897a6760429ea46da15ebbca1609b62fd37fee9
Commit Graph

662 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ross Wolf e897a67604 Fix fleet package generation (#1296) 
* Fix fleet package generation
* Add .lstrip()
* Lint fix
* Add newline
 2021-06-17 06:16:09 -06:00
Ross Wolf f6839e98d1 Simplify version locking code and fix 7.13.0 lock (#1295) 
* Update version lock overwrite command
* Fix tooling and restore old version lock
* Lint fix
* Fix tests
* Remove dead code
* Filter to prod+deprecated rules
* Cast set -> list
* Store deprecation info
* Add correct version.lock.json (finally)
* Fix "stack_version" typo
* Remove stack_version
* Back out main.py changes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-06-16 18:02:47 -06:00
Apoorva Joshi e41fe620e6 [New Rule] Add detection rules for auth ML jobs (#1283) 
* Adding detection rules for auth ML jobs

* name prefix

added the prefix "auth" to the file names

* Added descriptions

* Adding new lines and updating license

* FP text

added FP metadata

Co-authored-by: Craig <mailredirector36@gmail.com>
 2021-06-16 16:00:17 -07:00
Justin Ibarra e0fa25ae8e Fix rules which were note using v2 license (#1291) 2021-06-16 08:21:30 -06:00
Ross Wolf 49cb2e8dbf [Bug] Fix ML job IDs that used hyphens (#1287) 
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date
 2021-06-15 11:40:47 -06:00
David French 177cfc85bf [Rule Tuning] Attempts to Brute Force an Okta User Account (#1216) 
* update rule.threshold field value

* add rule authors

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-06-15 10:07:51 -06:00
Apoorva Joshi 1f7c88c6f4 Updating rules to query v2 (#1254) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-06-15 07:20:50 -07:00
Ross Wolf 61e5b44c44 [Fleet] Update template and packaging code for fleet packages (#1280) 
* Update template and packaging code for fleet packages
* Fix linting
 2021-06-15 07:54:50 -06:00
Brent Murphy 12577f7380 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:22:59 -04:00
Austin Songer 546e43071c [Rule Tuning] Attempts to brute force a microsoft 365 user account (#1163) 
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:20:20 -04:00
Brent Murphy 13bf55480a Update persistence_suspicious_com_hijack_registry.toml (#1244) 2021-06-14 09:00:22 -04:00
Ross Wolf c98398f1ef Add KQL support for additional ES field types (#1247) 2021-06-10 22:30:11 -06:00
Austin Songer 6b45186827 [New Rule] AWS EC2 VM Export Failure (#1142) 
* New Rule: AWS EC2 VM Export Failure

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-09 13:03:37 -06:00
Brent Murphy fce022c275 [New Rule] Modification of AmsiEnable Registry Key (#1248) 
* Create defense_evasion_amsienable_key_mod.toml
 2021-06-07 13:21:18 -04:00
Ross Wolf 90c6f24e8f Lock the versions from 7.13.0 (#1256) 2021-06-04 16:15:33 -06:00
Apoorva Joshi 8bb7218e38 Update problem-child.md (#1253) 2021-06-03 11:47:00 -08:00
Justin Ibarra 0ec8d67e78 Refactor experimental ML CLI and code (#1218) 
* move github and ml to their own files
* refactor release and ml commands
* update ML readmes
* add unzip_to_dict function
* prompt for model ID in remove-model
* update experimental rule upload process
* update remove-scripts-pipelines to take multiple options

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Apoorva <appujo@gmail.com>
 2021-06-02 20:37:12 -08:00
Justin Ibarra e46f5e96d3 Fix create-rule bug (#1246) 2021-06-01 08:31:36 -08:00
Brent Murphy 6626cbb943 Update privilege_escalation_persistence_phantom_dll.toml (#1228) 2021-06-01 09:29:09 -04:00
Brent Murphy c457614e37 [New Rule] Unusual Network Connection via DllHost (#1232) 
* Create defense_evasion_unusual_network_connection_via_dllhost.toml
* add timestamp override
 2021-05-28 15:09:09 -04:00
Brent Murphy 31e8d03438 [New Rule] Suspicious Execution from a Mounted Device (#1230) 
* Create defense_evasion_suspicious_execution_from_mounted_device.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-05-28 14:44:07 -04:00
Ross Wolf b0270d059f Add a command to create a Kibana PR (#1208) 
* Add a command to create a Kibana PR
* Reformat code
* Fix docstring whitespace
* Make a hidden token prompt
* Fix E501
 2021-05-17 14:57:21 -06:00
Austin Songer 58ea49b092 [Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts (#1200) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-05-14 15:52:02 -04:00
Ross Wolf a940c10ead Update backport.yml (#1205) 2021-05-13 16:54:52 -06:00
Ross Wolf eb40c52c7c Port historical schemas to jsonschema (#1084) 
* Port historical schemas to jsonschema
* Add marshmallow-json dependency
* Mark etc/api_schemas as binary
* Remove gitattributes attempt
* Lint fix
* Apply PR feedback
* Additional PR feedback
* Extract stack version from packages.yml
* Fix the backport schemas
* Cache the schema reads
* Add migration for #1167
* Make a separate 'migration not found' error
 2021-05-13 14:27:32 -06:00
Brent Murphy e40276c12b [Bug] Update main.py to fix toml-lint (#1202) 2021-05-13 09:43:13 -06:00
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
 2021-05-10 13:40:56 -08:00
Ross Wolf 60f5168f07 Retrieve branch history of main in backport job 2021-05-06 23:12:57 -06:00
Ross Wolf 700c63d7d5 Disable persist-credentials from checkout job (#1187) 
* Disable persist-credentials from checkout job
* Set the token at the checkout stage
 2021-05-06 22:58:31 -06:00
Ross Wolf a33e943591 Use @protectionsmachine to push backports (#1186) 2021-05-06 22:26:30 -06:00
Ross Wolf f3f344018b Fix backport job webhook + push (#1185) 2021-05-06 21:32:40 -06:00
Ross Wolf 2ceb5b52c9 Add job for 'backport: auto' labeled PRs (#1174) 
* Add job for 'backport: auto' labeled PRs

* Limit the job to sequential only

* Fix delayed labels and use the right commit

* Add slack webhook integration
 2021-05-06 20:03:05 -06:00
Justin Ibarra 1fb0b6726e Fix rule filenames during packaging (#1158) 2021-05-05 11:27:04 -08:00
Justin Ibarra 3d7f5d73a4 Allow ML rules to accept a single or array of job IDs (#1167) 2021-05-05 11:12:12 -08:00
Justin Ibarra 7040538a9a bump packages version to 7.14 2021-04-30 11:32:18 -08:00
Justin Ibarra 82ec6ac1ee Convert windows rules from KQL to EQL (#1114) 2021-04-30 11:21:12 -08:00
Andrew Pease 92eaa5b18a [New Rule] Threat intel indicator match rule (#1133) 2021-04-26 07:07:04 -05:00
Austin Songer 8362578492 [Rule Tuning] AWS IAM Deactivation of MFA Device (#1132) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-23 14:52:54 -04:00
Justin Ibarra a0a3143a52 Refresh beats and ecs schemas (#1140) 
* download new beats and ecs schemas
* add beats download func by version and download v7.11.2
 2021-04-22 09:49:06 -08:00
Ross Wolf 8d8bcfbc42 Add wildcard field support to KQL (#1139) 2021-04-22 11:15:38 -06:00
Justin Ibarra cabe9239c0 Add threat_match rule type (#1138) 2021-04-22 09:03:57 -08:00
Ross Wolf 8789dd7c90 Separate out query validation from the class hierarchy (#1136) 
* Separate out query validation from the class hierarchy
* Rename to *RuleData for consistency
* Apply suggestions from code review
* Fix lint error
 2021-04-21 14:55:26 -06:00
Brent Murphy ff45539369 [Deprecation] Deprecate inherently noisy rules based on testing (#1122) 
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-04-21 15:10:06 -04:00
Justin Ibarra e656a984b3 Update threshold rule schema to disallow empty field string (#1099) 2021-04-15 16:22:45 -06:00
Ross Wolf 791c911b9e Merge branch '7.12' into main 2021-04-15 16:17:59 -06:00
Ross Wolf 5669988e0b Remove unnecessary required=False check 2021-04-15 16:16:42 -06:00
Samirbous 0400dc207a [Deprecation] Process Discovery via Tasklist (#1116) 
* [Deprecation] Process Discovery via Tasklist

* deprecation_date

* update date

* Update rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-15 22:18:56 +02:00
Samirbous e323084433 [Deprecation] Trusted Developer Application Usage (#1118) 
* [Deprecation] Trusted Developer Application Usage

* update date
 2021-04-15 22:15:38 +02:00
Samirbous 170b87097d [New Rule] Potential Protocol Tunneling via EarthWorm (#1094) 
* [New Rule] Potential Protocol Tunneling via EarthWorm

* fixed tactic ID

* fixed rule_id

* tactic case sensitive

* tags

* Update rules/linux/command_and_control_tunneling_via_earthworm.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-15 10:17:56 +02:00
Justin Ibarra b0f449339d add branch_name option to kibana-commit command 2021-04-14 21:16:09 -08:00