security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
662 Commits 1 Branch 0 Tags
e897a6760429ea46da15ebbca1609b62fd37fee9
Commit Graph

34 Commits

Author SHA1 Message Date
Austin Songer 6b45186827 [New Rule] AWS EC2 VM Export Failure (#1142) 
* New Rule: AWS EC2 VM Export Failure

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-09 13:03:37 -06:00
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
 2021-05-10 13:40:56 -08:00
Austin Songer 8362578492 [Rule Tuning] AWS IAM Deactivation of MFA Device (#1132) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-04-23 14:52:54 -04:00
Ross Wolf 791c911b9e Merge branch '7.12' into main 2021-04-15 16:17:59 -06:00
Brent Murphy c1fd3b3374 [Rule Tuning] AWS Config Service Tampering (#1108) 
* Update defense_evasion_config_service_rule_deletion.toml
 2021-04-14 17:13:27 -04:00
Brent Murphy c64e700c56 [Rule Tuning] Update Cloud Rule Syntax (#1061) 
* update cloud syntax
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 10:49:28 -04:00
Justin Ibarra 462fab3ff8 Update threshold rule schema to disallow empty field string (#1098) 
* Update threshold rule schema to disallow empty field string
* lock versions for rule changes
 2021-04-14 04:56:38 -08:00
Justin Ibarra 0e0b2ea1a4 Update schema for threshold rule type for 7.12 (#976) 
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
 2021-03-05 14:35:50 -09:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) 
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
 2021-02-17 13:48:57 -09:00
Justin Ibarra 61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
 2021-02-16 10:52:48 -09:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Justin Ibarra e272800a5d Add ATT&CK sub-technique support to CLI (#614) 
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
 2020-12-08 21:56:55 -09:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Justin Ibarra d3226c72c9 Add test for tactic in rule filename (#398) 2020-10-20 14:48:33 -08:00
Justin Ibarra a212008f8c [Rule Tuning] Remove event.module from rules for compatibility with agent integrations (#342) 2020-09-30 09:41:33 -08:00
Brent Murphy 8a5e0dd441 [New Rule] AWS Management Console Attempted Root Login Brute Force (#88) 
* Create initial_access_root_console_failure_brute_force.toml

* bumping threshold value to 10

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update initial_access_root_console_failure_brute_force.toml

* Update rules/aws/initial_access_root_console_failure_brute_force.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update initial_access_root_console_failure_brute_force.toml

* update with FP info

* update threshold field

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-28 13:37:22 -04:00
Brent Murphy 6a1e97cd06 [Rule Tuning] Update AWS rules to account for Agent index (#256) 
* Update AWS rules

* chnage updated date
 2020-09-21 09:04:50 -04:00
Brent Murphy 70cc7fd112 [Rule Tuning] AWS Root Login Without MFA (#229) 
* Update privilege_escalation_root_login_without_mfa.toml

* Update privilege_escalation_root_login_without_mfa.toml

* update index

* Update privilege_escalation_root_login_without_mfa.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 10:57:51 -04:00
Justin Ibarra 79a0dfefbe Add ECS 1.6.0 schema for validation testing (#220) 
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
 2020-08-27 11:54:49 -05:00
Brent Murphy 01b1e8be26 [Rule Tuning] Update Tags for Cloud Rules (#99) 
* [Rule Tuning] Update Tags for Cloud Rules

* commenting out specifying alphabetical tag order in rule formatter

* Update rule_formatter.py

* py lint

* Lint fix comments

* update modified dates

* Update credential_access_secretsmanager_getsecretvalue.toml

* adding Continuous Monitoring tag

* update tags

* fixed and in tags

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-08-03 17:15:15 -04:00
Ross Wolf 978a8d9df8 [Bug] Set threshold.field to empty string instead of null (#87) 2020-07-22 19:31:09 -04:00
Brent Murphy e08ff6c55d [Rule Tuning] Update Cloud rules with note field (#79) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-21 12:27:42 -04:00
David French 4784342723 [New Rule] AWS IAM Brute Force of Assume Role Policy (#67) 
* Create credential_access_aws_iam_assume_role_brute_force.toml

* Update maturity to production

* Update formatting for query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rule name

* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rule description

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update note field in rule

... to inform users that AWS Filebeat module must be enabled to use this rule.

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* lint rule

* Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-07-20 12:43:26 -06:00
Samirbous 676be30199 [New rule] AWS Secrets Manager and System Manager 
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-08 12:48:04 -06:00
Seth Goodwin c577426510 Update Lookback Interval for AWS Rules 2020-07-08 08:50:01 -06:00
Ross Wolf 316be47e27 Rename AWS to aws 2020-07-08 08:43:30 -06:00
Craig Chamberlain 94974c3895 Detect DeleteRule events with AWS WAF Deletion 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-07-07 15:44:11 -06:00
Craig Chamberlain ee82874c24 [New Rule] AWS Config Service Tampering 
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-07-07 15:43:22 -06:00
seth-goodwin cae5fee025 [New Rule] Add AWS Password Recovery Requested 2020-07-07 15:38:52 -06:00
Seth Goodwin 8052a1ea1f [New Rule] Add rule for AWS UpdateAssumeRolePolicy 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:38:18 -06:00
Seth Goodwin c1a1cf6854 [New Rule] AWS Root Login Without MFA 
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:07:17 -06:00
Ross Wolf 5fcece8416 Populate rules/ directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 22:57:03 -06:00