security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
662 Commits 1 Branch 0 Tags
e897a6760429ea46da15ebbca1609b62fd37fee9
Commit Graph

33 Commits

Author SHA1 Message Date
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
 2021-05-10 13:40:56 -08:00
Brent Murphy c64e700c56 [Rule Tuning] Update Cloud Rule Syntax (#1061) 
* update cloud syntax
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-04-14 10:49:28 -04:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) 
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
 2021-02-17 13:48:57 -09:00
Justin Ibarra 61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
 2021-02-16 10:52:48 -09:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Brent Murphy 627610401c [Rule Tuning] Update rules for new Fleet integrations (#729) 
* update azure indicies

* remove . in index to match prior cloud rules

* update o365 indicies

* add event.dataset:google_workspace.admin to existing google workspace rules

* gcp syntax

* add gcp index

* update gcp index

* update index patterns for google workspace rules

* update gcp index2

* update updated_date

* update event outcome for azure

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-18 12:23:12 -05:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Justin Ibarra a212008f8c [Rule Tuning] Remove event.module from rules for compatibility with agent integrations (#342) 2020-09-30 09:41:33 -08:00
Brent Murphy 652b2c5e44 [New Rule] GCP Logging Sink Deletion (#306) 
* Create gcp_logging_sink_deletion.toml

* update description

* update rule name
 2020-09-24 17:19:27 -04:00
Brent Murphy 17e3d83b29 [New Rule] GCP Pub/Sub Subscription Deletion (#334) 
* Create gcp_pub_sub_subscription_deletion.toml

* update rule name with mitre tactic
 2020-09-24 13:21:28 -04:00
Brent Murphy 367d870654 [New Rule] GCP Logging Bucket Deletion (#308) 
* Create gcp_logging_bucket_deletion.toml

* update rule name with mitre tactic
 2020-09-24 13:14:18 -04:00
Brent Murphy 21d19863e2 [New Rule] GCP Pub/Sub Topic Deletion (#307) 
* Create gcp_pub_sub_topic_deletion.toml

* Update rules/gcp/gcp_pub_sub_topic_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* linting

* update rule name with mitre tactic

* correct spelling error in rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-24 13:09:50 -04:00
Brent Murphy e34a969cd3 Create collection_gcp_pub_sub_subscription_creation.toml (#332) 2020-09-24 12:08:49 -04:00
David French bd2ec8a194 [New Rule] GCP Virtual Private Cloud Route Created (#326) 
* [New Rule] GCP Virtual Private Cloud Route Created

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:47:21 -06:00
David French df19db4f67 [New Rule] GCP Virtual Private Cloud Network Deleted (#325) 
* [New Rule] GCP Virtual Private Cloud Network Deleted

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:44:48 -06:00
David French de85f483a4 [New Rule] GCP Virtual Private Cloud Route Deleted (#324) 
* [New Rule] GCP Virtual Private Cloud Route Deleted

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:31:48 -06:00
David French de6f326c72 [New Rule] GCP Storage Bucket Configuration Modified (#322) 
* Create defense_evasion_gcp_storage_bucket_configuration_modified.toml

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:29:53 -06:00
David French 01c904f2dd [New Rule] GCP Firewall Rule Created (#312) 
* new-rule-gcp-firewall-rule-created

* Add FP info to rule

* Add ATT&CK metadata

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:27:41 -06:00
David French 6e61be64b2 Create impact_gcp_service_account_disabled.toml (#320) 2020-09-24 09:23:10 -06:00
David French 586cf69ec6 [New Rule] GCP Service Account Deleted (#319) 
* Create impact_gcp_service_account_deleted.toml

* Update rule name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:21:29 -06:00
David French 142ad038c2 [New Rule] GCP Service Account Created (#318) 
* new-rule-gcp-service-account-created

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:19:14 -06:00
David French be4b5bb1c1 [New Rule] GCP Storage Bucket Deleted (#315) 
* new-rule-gcp-storage-bucket-deleted

* Add FP info to rule

* Update rule name

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:17:52 -06:00
David French 2b4044081e [New Rule] GCP Key Created for Service Account (#314) 
* new-rule-gcp-key-created-for-service-account

* Add FP info to rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:16:18 -06:00
David French bda33a559b [New Rule] GCP Storage Bucket Permissions Modified (#313) 
* new-rule-gcp-storage-bucket-permissions-modified

* Add FP info to rule

* Update name to make Brent a happy chappy

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:14:13 -06:00
Brent Murphy e6326afd5d Create collection_gcp_pub_sub_topic_creation.toml (#331) 2020-09-24 11:12:59 -04:00
David French 93f57b22f7 [New Rule] GCP Firewall Rule Modified (#311) 
* new-rule-gcp-firewall-rule-modified

* Update rule maturity to production

* Add FP info to rule

* Add ATT&CK metadata

* Lint rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:06:19 -06:00
David French 369d4f4a85 [New Rule] GCP Firewall Rule Deleted (#310) 
* new-rule-gcp-firewall-rule-deleted

* Update rule maturity to production

* Add FP info to rule

* Update rule maturity to production

* Add ATT&CK metadata

* Lint rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:03:55 -06:00
Brent Murphy 968a3b4406 Create impact_gcp_iam_role_deltion.toml (#329) 2020-09-24 10:51:10 -04:00
Brent Murphy 275433596d Create exfiltration_gcp_logging_sink_modification.toml (#317) 2020-09-24 10:32:10 -04:00
Brent Murphy eef4f54dba Create initial_access_gcp_iam_custom_role_creation.toml (#316) 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-24 10:19:40 -04:00
Brent Murphy 56fc99f152 [New Rule] GCP IAM Service Account Key Deletion (#309) 
* Create credential_access_gcp_iam_service_account_key_deletion.toml

* remove extra word in fp info

* linting
 2020-09-24 10:15:15 -04:00