security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,679 Commits 1 Branch 0 Tags
e8c54169a496e2bc788371a7bf8564c81c08b751
Commit Graph

2679 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
Eric Forte 2d2c5b4d88 [Bug] Update Custom Rules Markdown Location (#4565) 
* Update to custom-rules markdown location

* bump version

* Update link reference
 2025-03-26 10:00:52 -04:00
Terrance DeJesus 5e12f05a36 fixing double header in investigation notes (#4490) 2025-03-25 09:08:13 -04:00
Martijn Laarman 3bbe24d154 Create new detection rule set documentation to be included in the new docs. (#4508) 
* move docs folder to docs-dev

* Add new docs folder

* update docset.yml to reflect latest usage

* Add rules_building_block folder

* revert changes to docs-dev/experimental-machine-learning/url-spoof.md

* bump patch versions

* revert bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-03-24 17:23:06 +01:00
Sergey Polzunov 65170c394b fix: removing outdated code in Kibana client auth (#4495) 
* Simplify kibana session management

* Drop removed options from `kibana_args` set

* Style fix

* Patch version bump

* Bumping kibana lib version

* Relax CLI requirement, making `api_key` optional, to allow `help` to run
 2025-03-24 12:28:36 +01:00
Terrance DeJesus db78756062 [New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535) 
* new rules for AWS DynamoDB data exfiltration

* bumping patch version

* adjusting investigation guide

* updating patch version

* updating patch version

* updating patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-21 10:05:24 -04:00
Eric Forte 75b2b5cb6a [FR] Bump changed-files Version to Patched Version (#4542) 
* Bump changed-files Version to Patched Version

* patch bump

* reenable workflow

* Use full length commit hash

* Bump 44 to 46

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-03-20 12:58:21 -04:00
Martijn Laarman cd9ec7838c [ci] Add new docs-builder automation. (#4507) 
* Add new docs automation

* Add path-pattern filters for documentation folders

* Update .github/workflows/docs-build.yml

Co-authored-by: Jan Calanog <nejcalanog@gmail.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jan Calanog <nejcalanog@gmail.com>
Co-authored-by: Sergey Polzunov <traut@users.noreply.github.com>
 2025-03-20 17:20:27 +01:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Kirti Sodhi 955e973c00 Change description and name of problemchild ML detection-rules (#4545) 
Changed description and name of problemchild ML detection-rules
 2025-03-20 08:58:10 -04:00
Samirbous 28a06fd25f Update defense_evasion_posh_assembly_load.toml (#4543) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-20 05:13:28 -03:00
Eric Forte 5ccb7ed4af Min stack rules from 4516 (#4549) 2025-03-19 20:27:30 -04:00
Eric Forte 5b3dc4a4a7 Revert "Add new ML detection rules for Privileged Access Detection (#4516)" (#4548) 
This reverts commit 2ff8d1bb56.
 2025-03-19 20:08:08 -04:00
Kirti Sodhi 2ff8d1bb56 Add new ML detection rules for Privileged Access Detection (#4516) 
Add detection-rules for privileged access detection integration
 2025-03-19 11:02:28 -04:00
Eric Forte 40a97f719f Temporaily Disable Changed FIles Workflow (#4538) 
* Temporaily Disable Changed FIles Workflow

* bump version
 2025-03-14 23:42:48 -04:00
shashank-elastic 0993ced309 Deprecate Cloud Defend Rules (#4537) 2025-03-14 21:27:37 +05:30
Samirbous 290f0be959 Update defense_evasion_execution_suspicious_explorer_winword.toml (#4533) 2025-03-14 10:46:56 -03:00
github-actions[bot] a64b6a39a7 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4531) 2025-03-12 19:02:53 +05:30
Ruben Groenewoud d7d8c414ec [New Rule] File Creation in /var/log via Suspicious Process (#4528) 
* [New Rule] File Creation in /var/log via Suspicious Process

* ++

* ++
 2025-03-12 12:50:48 +01:00
github-actions[bot] 02be7cac0a Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4530) 2025-03-12 12:49:43 +05:30
Terrance DeJesus 3ed820afa8 [New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) (#4523) 
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'

* updating name

* added investigation guide

* updated investigation guide

* updated investigation guide

* removed unnecessary comment

* adjusted logic to count distinct on principal id; principal name will be in aggregations now

* updated Entra ID name
 2025-03-11 11:25:10 -04:00
Terrance DeJesus aacb376acf [New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication (#4524) 
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'

* updating tactic tag

* adjusted query logic for user type

* updated Entra ID name
 2025-03-11 11:05:56 -04:00
Terrance DeJesus fd1369a164 [New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User (#4525) 
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'

* linted; updated UUID

* adjusted rule name and logic to focus on any rare authentication requirements

* adjusted file name
 2025-03-11 10:51:01 -04:00
Terrance DeJesus 7c4f334a00 [New Hunt] Adding Hunting Queries for Azure Entra Sign-In Anomalies (#4527) 
* adding new hunts for Azure entra sign-in anomalies

* fixing commented query logic; added hydra user agent
 2025-03-11 10:27:08 -04:00
Eric Forte 4deb6a73b8 [FR] [DaC] Update Readme with DaC Support References (#4526) 
* Update Readme with DaC Support References

* Patch bump

* Call out DaC Pipeline support
 2025-03-10 21:24:12 -04:00
Eric Forte eadcd9d3e0 [FR] Add Env Var DR_CLI_MAX_WIDTH and DaC Docs Updates (#4518) 
* Add Env Var DR_CLI_MAX_WIDTH

* Version Bump

* Update limit from 120 to 240

* Clean references to reference main

* Update Readme with DaC Info

* Add DaC to Table of Contents

* Bump Patch Version

* Updated naming and add dac md

* Organize Imports

* Deprecate upload-rule

* Update docs/detections-as-code.md

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* move docs to docs-dev

* Sort custom rules imports

* Remove duplicate

* Fix typo

* Bump Patch Version

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-03-10 12:59:12 -04:00
Sergey Polzunov 3bdda091e1 chore: use docs-dev instead of docs dir for docs (#4522) 
* chore: use `docs-dev` instead of `docs` folder

* patch version bump

* Rollback an incorrect rename

* Use exact docs dir in the helper comment

* Revert some overeager renamings

* Moving `docs` to `docs-dev`

* Update Docs Paths

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2025-03-07 14:34:51 +01:00
shashank-elastic e28512a32f Deprecation Notice to Cloud Defend Rules (#4520) 
* Deprecation Notice to Cloud Defend Rules

* Udpate names in investigation guide

* Adding deprecation note under Setup field

* reverting back to setup field name

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-03-07 00:20:00 -05:00
Ruben Groenewoud 561ab703de [New Rule] Uncommon Destination Port Connection by Web Server (#4515) 2025-03-06 22:01:33 +05:30
Ruben Groenewoud 9fb7b57a47 [New Rule] Unusual File Creation from Web Server Parent (#4514) 
* [New Rule] Unusual File Creation from Web Server Parent

* Update rules/linux/persistence_web_server_sus_file_creation.toml

* Move to BBR
 2025-03-06 17:21:47 +01:00
Ruben Groenewoud fe0a9f4935 [New/Tuning] Docker Socket Enumeration (#4510) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 17:07:10 +01:00
Ruben Groenewoud 8dfa5da3bf [New Rules] Potential Port/Subnet Scanning Activity from Compromised Host (#4509) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-06 16:57:33 +01:00
Ruben Groenewoud fe06843636 [New Rule] Unusual Process Spawned from Web Server Parent (#4513) 2025-03-06 16:46:12 +01:00
traut 6eed757b66 Revert "Moving docs to docs-dev" 
This reverts commit 75abb8d0b5.
 2025-03-06 16:29:37 +01:00
traut 75abb8d0b5 Moving docs to docs-dev 2025-03-06 16:27:26 +01:00
Ruben Groenewoud 7ce6aaf566 [New Rule] Unusual Command Execution from Web Server Parent (#4512) 
* [New Rule] Unusual Command Execution from Web Server Parent

* ++
 2025-03-06 16:25:38 +01:00
Kirti Sodhi a1d6ff4a50 Added ML detection-rules for new Security Host package (#4519) 
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
 2025-03-06 19:53:29 +05:30
Sergey Polzunov 081bd03618 fix(ci): use negative patterns in paths instead of paths-ignore (#4521) 2025-03-06 13:57:41 +01:00
Sergey Polzunov 8854b3bea0 Ignore changes in rules/integrations except endpoint, and in _deprecated (#4498) 2025-03-05 12:49:46 +01:00
Sergey Polzunov 5f54eb8006 chore: Removing RTAs (#4437) 
* Delete RTAs

* Delete RTA-related orchestration code

* Drop RTAs from tests

* Remove RTAs from README

* Further cleanup

* Readme update

* Version bump and no more RTAs

* Styling fixes

* Drop RTAs from config files

* Drop `rule-mapping.yaml`

* Bring back event collector / normalizer

* Drop rta mention

* Cleanup rta leftovers

* Style fix

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-03-05 12:35:57 +01:00
Mika Ayenson, PhD 49c361dd98 [New Rules] Azure OpenAI (#3701) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-03-04 22:59:38 +05:30
Samirbous b1470a480b [New] WDAC Policy File by an Unusual Process (#4504) 
* [New] WDAC Policy File by an Unusual Process

https://github.com/logangoins/Krueger/tree/main

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_wdac_policy_by_unusual_process.toml

* Update defense_evasion_wdac_policy_by_unusual_process.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-03-04 15:21:58 +00:00
shashank-elastic 467034ee5b Deprecate an APM BBR rule (#4511) 2025-03-04 17:39:45 +05:30
Ruben Groenewoud b9e8115c2f [New Rule] Python Site or User Customize File Creation (#4500) 
* [New Rule] Python Site or User Customize File Creation

* Update persistence_site_and_user_customize_file_creation.toml

* Update persistence_site_and_user_customize_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:30:33 +01:00
Ruben Groenewoud d948279af6 [New Rule] Python Path File (pth) Creation (#4499) 
* [New Rule] Python Path File (pth) Creation

* ++

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

* Update persistence_pth_file_creation.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-03 15:20:00 +01:00
Ruben Groenewoud f70eafb8e7 [New Rule] Successful SSH Authentication from Unusual User (#4481) 
* [New Rule] Succesful SSH Authentication from Unusual User

* Rename initial_access_first_time_public_key_authentication.toml to initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update initial_access_successful_ssh_authentication_by_unusual_user.toml

* Update rules/linux/initial_access_successful_ssh_authentication_by_unusual_user.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-03-03 11:55:27 +01:00
Jonhnathan 5653190d08 [Rule Tuning] Remove hardcoded logic from description (#4503) 2025-02-28 14:38:18 -03:00
Ruben Groenewoud 06002cd9ac [New Rule] Kill Command Execution (#4485) 
* [New Rule] Kill Command Execution

* Update defense_evasion_kill_command_executed.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:26:50 +01:00
Ruben Groenewoud 9bb3b9f204 [New Rule] Unusual File Transfer Utility Launched (#4487) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:15:21 +01:00
Ruben Groenewoud 029fd45bb1 [New Rule] Base64 Decoded Payload Piped to Interpreter (#4488) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-28 11:01:52 +01:00