security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,679 Commits 1 Branch 0 Tags
e8c54169a496e2bc788371a7bf8564c81c08b751
Commit Graph

355 Commits

Author SHA1 Message Date
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
Terrance DeJesus 5e12f05a36 fixing double header in investigation notes (#4490) 2025-03-25 09:08:13 -04:00
Terrance DeJesus db78756062 [New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535) 
* new rules for AWS DynamoDB data exfiltration

* bumping patch version

* adjusting investigation guide

* updating patch version

* updating patch version

* updating patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-21 10:05:24 -04:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Kirti Sodhi 955e973c00 Change description and name of problemchild ML detection-rules (#4545) 
Changed description and name of problemchild ML detection-rules
 2025-03-20 08:58:10 -04:00
Eric Forte 5ccb7ed4af Min stack rules from 4516 (#4549) 2025-03-19 20:27:30 -04:00
Eric Forte 5b3dc4a4a7 Revert "Add new ML detection rules for Privileged Access Detection (#4516)" (#4548) 
This reverts commit 2ff8d1bb56.
 2025-03-19 20:08:08 -04:00
Kirti Sodhi 2ff8d1bb56 Add new ML detection rules for Privileged Access Detection (#4516) 
Add detection-rules for privileged access detection integration
 2025-03-19 11:02:28 -04:00
shashank-elastic 0993ced309 Deprecate Cloud Defend Rules (#4537) 2025-03-14 21:27:37 +05:30
Terrance DeJesus 3ed820afa8 [New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) (#4523) 
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'

* updating name

* added investigation guide

* updated investigation guide

* updated investigation guide

* removed unnecessary comment

* adjusted logic to count distinct on principal id; principal name will be in aggregations now

* updated Entra ID name
 2025-03-11 11:25:10 -04:00
Terrance DeJesus aacb376acf [New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication (#4524) 
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'

* updating tactic tag

* adjusted query logic for user type

* updated Entra ID name
 2025-03-11 11:05:56 -04:00
Terrance DeJesus fd1369a164 [New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User (#4525) 
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'

* linted; updated UUID

* adjusted rule name and logic to focus on any rare authentication requirements

* adjusted file name
 2025-03-11 10:51:01 -04:00
shashank-elastic e28512a32f Deprecation Notice to Cloud Defend Rules (#4520) 
* Deprecation Notice to Cloud Defend Rules

* Udpate names in investigation guide

* Adding deprecation note under Setup field

* reverting back to setup field name

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-03-07 00:20:00 -05:00
Mika Ayenson, PhD 49c361dd98 [New Rules] Azure OpenAI (#3701) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-03-04 22:59:38 +05:30
Terrance DeJesus 4b7aa67213 [New Rule] Adding Coverage for M365 OneDrive Excessive File Downloads with OAuth Token (#4469) 
* new rule 'M365 OneDrive Excessive File Downloads with OAuth Token'

* removed Azure data source tag; added saas tag

* removed Azure data source tag; added saas tag

* updated mitre mappings

* added tactic:collection tag

* removed file directory, added targeted_time_window to aggregation
 2025-02-21 10:45:04 -05:00
Terrance DeJesus 0b98462cfe [New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection (#4458) 
* new hunting queries for SNS

* added KEEP to all queries; adjusted description in SNS rule
 2025-02-20 10:53:36 -05:00
Terrance DeJesus ec4523a6a9 [Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol (#4466) 
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'

* bumping patch version

* fixed investigation guide unit test failure

* bump patch
 2025-02-20 10:29:04 -05:00
Terrance DeJesus 17ea9fbdd5 [New Rule] Adding Coverage for AWS SNS Topic Created by Rare User (#4455) 
* new rule 'AWS SNS Topic Created by Rare User'

* changed file name

* Update rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml

* moved new terms link to investigation guide
 2025-02-20 10:05:40 -05:00
shashank-elastic 692a1382bf Fix spacing in Setup information (#4470) 2025-02-20 10:04:13 +05:30
Jonhnathan 5155f47b86 [Rule Tuning] Event Aggregation - Fix event.action & event.type conditions (#4445) 
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions

* .

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-07 18:42:28 -03:00
Mika Ayenson c7f5385711 [Rule Tuning] Decrease Interval to 1m for Endpoint Promotions (#4450) 2025-02-07 08:30:35 -06:00
shashank-elastic a866ee7f57 Fix remaining Replace master doc URLs with current (#4441) 2025-02-03 23:03:20 +05:30
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
Terrance DeJesus bf1caf8b5f [Rule Tuning] December-January AWS Rule Tuning (#4425) 
* [Rule Tuning] AWS Monthly Rule Tunings

* Adding several more AWS tunings

* updating patch version

* updating non-ecs type to boolean

* fixed cloudtrail index
 2025-01-31 10:35:18 -05:00
Mika Ayenson 7c6c77932c [FR] Add Remaining Guides (#4412) 2025-01-22 14:43:30 -06:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Terrance DeJesus fb13b89f8d [New Rule] Adding Coverage for AWS S3 Unauthenticated Bucket Access by Rare Source (#4315) 
* adding new rule 'AWS S3 Unauthenticated Object Retrieval by Rare Source'

* adjusted logic to capture multiple event calls

* updated verbiage

* updated MITRE mappings

* fixing date
 2025-01-20 13:36:09 -05:00
Terrance DeJesus 7be96ec64d [Rule Tuning] Add Public Snapshot Coverage Regarding AWS EC2 EBS Snapshot Shared or Made Public (#4335) 
* removing detection gap for EBS snapshots that are made public

* reverted logic; added investigation note about public snapshots
 2025-01-20 13:15:41 -05:00
Ruben Groenewoud 01eda44298 [Rule Tuning] Linux Persistence Rules (#4393) 
* [Rule Tuning] Linux Persistence Rules

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
 2025-01-20 09:51:49 +01:00
Terrance DeJesus ca3994af0d [Deprecation] Deprecating Potential Password Spraying of Microsoft 365 User Accounts (#4394) 
* Deprecating 'Potential Password Spraying of Microsoft 365 User Accounts'

* adding 'Deprecated - Suspicious JAVA Child Process'

* updated dates

* changed to deprecated maturity
 2025-01-17 10:52:13 -05:00
Terrance DeJesus 5162067a51 [New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C (#4377) 
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'

* updated pyproject patch version

* bump repo version

* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml

* updating patch version

* updating patch version

* Adding additional threshold rule
 2025-01-15 14:11:58 -05:00
Terrance DeJesus c04ae6d444 [New Rule] Adding Coverage for SNS Topic Message Publish by Rare User (#4350) 
* new rule 'SNS Topic Message Publish by Rare User'

* added new terms note

* added investigation guide tag

* fixed tag, added investigation fiedls

* toml lint

* fixed mitre ATT&CK mapping
 2025-01-15 13:55:45 -05:00
Terrance DeJesus 97b3f43870 [New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery (#4328) 
* new rule 'AWS EC2 Deprecated AMI Discovery'

* updated type

* updated non-ecs; bumped package version

* updated query

* added missing index

* updated patch version
 2025-01-15 11:53:18 -05:00
Terrance DeJesus f8312cc5b0 [Rule Tuning] Adjusting Verbiage for AWS EC2 Instance Connect SSH Public Key Uploaded (#4334) 
* tuning rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'

* updating subtechnique ID

* added mitre tag lateral movement

* changing sequence of mitre ATT&CK
 2025-01-15 11:12:53 -05:00
Terrance DeJesus f97007f3a8 [New Rule] Adding Coverage for AWS SQS Queue Purge (#4354) 
* new rule 'AWS SQS Queue Purge'

* Update rules/integrations/aws/defense_evastion_sqs_purge_queue.toml

* added investigation guide tag; fixed file name
 2025-01-15 10:52:22 -05:00
James Valente f52cfb3729 [Rule: Tuning] - Azure blob permission modification tagging - Correct tags (#4371) 
* Remove `Data Source: Elastic Defend` tag

* Update metadata

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-13 10:40:34 -03:00
Ruben Groenewoud 466097c31e [Rule Tuning] Potential Persistence via File Modification (#4310) 
* [Rule Tuning] Potential Persistence via File Modification

* Update persistence_suspicious_file_modifications.toml

* Update persistence_suspicious_file_modifications.toml
 2025-01-03 16:19:58 +01:00
Terrance DeJesus 9fb2dea7aa [New Rule] Endpoint Security Promotion Rules for Specific Events (#3533) 
* new endpoint security rules for specific alerts

* updated risk scores

* fixed rule names and UUIDs

* changed logic to use message field for detection vs prevention

* reverting changes

* reverting changes

* reverting to old commit

* reverting to old commit

* reverting to old commit

* reverting to old commit

* changed naming to Elastic Defend

* updated rule dates and min-stacks

* linted; adjusted queries

* updated ransomware, memory sig or shellcode risk

* Update rules/integrations/endpoint/elastic_endpoint_security.toml

* updated promotion rule

* fixed typos in naming

* updated setup guides

* added intervals

* added MITRE

* added investigation guide for Memory Threat

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* ++

* ++

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

* ++

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update defense_evasion_elastic_memory_threat_prevented.toml

* toml-lint

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* ++

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co>
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-12-19 13:24:23 -05:00
Terrance DeJesus dad008ea34 [Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules (#4324) 
* rule tuning Okta and AWS lookback times

* adjusted Query Registry using Built-in Tools

* adjusted My First Rule

* Update rules/cross-platform/guided_onboarding_sample_rule.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-12-19 13:03:50 -05:00
Terrance DeJesus 0a740074c9 new rule 'Azure Entra MFA TOTP Brute Force Attempts' (#4297) 2024-12-12 11:00:02 -05:00
Terrance DeJesus e6012b1db6 Removing ESQL query format error (#4292) 2024-12-10 09:27:37 -05:00
Terrance DeJesus 052672b09f [Rule Tuning] Update Okta and Github Min-Stack Versions for Release (#4290) 2024-12-09 20:58:33 +05:30
Terrance DeJesus e7b88ae3fc [New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS (#4277) 
* new rule 'AWS IAM Login Profile Added for Root'

* added min-stack

* linted; fixed rule schema errors

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-12-09 08:55:20 -05:00
shashank-elastic 2c848c5111 Prep for Release 8.18 (#4288) 2024-12-09 18:25:13 +05:30
Isai 511c108ba1 [Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283) 
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query
 2024-12-06 17:27:38 -05:00
shashank-elastic 801efb3d93 Protections for AWS Bedrock (#4270) 2024-12-03 21:56:39 +05:30
shashank-elastic 53cfeb76e3 Add event dataset for missing rule in Github integration (#4278) 2024-12-03 20:32:55 +05:30
shashank-elastic 5ab7565923 Minstack versions for Okta and Github Integration (#4273) 2024-11-27 18:39:41 +05:30
Terrance DeJesus 2d79494068 new rule 'AWS STS AssumeRoot by Rare User and Member Account' (#4271) 2024-11-25 10:28:43 -05:00
Samirbous f36845318e [New] First Time Seen User Auth via DeviceCode Protocol (#4153) 
* Create credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_first_time_seen_device_code_auth.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-11 13:04:18 +00:00