security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,571 Commits 1 Branch 0 Tags
ec791fa67a4e597ef5013fbd2972508fc522ec4d
Commit Graph

338 Commits

Author SHA1 Message Date
Susan d8a39869c5 Add Entity related integrations ML rules with _ea job IDs and min_stack_version 9.4.0 (#5909) 
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2026-04-22 17:36:35 +05:30
github-actions[bot] c601edfbb3 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5930) 2026-04-08 19:44:16 +05:30
github-actions[bot] 88bc42265f Lock versions for releases: 8.19,9.1,9.2,9.3 (#5926) 2026-04-07 17:45:00 +05:30
Terrance DeJesus 48128c1c66 [Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field (#5894) 
* [Rule Tuning] Entra ID Illicit Consent Grant via Registered Application - Fix New Terms Field
Fixes #5893

* adding non-admin consented filter

* converting to ESQL

* additional query adjustments

* adjusted query KEEP

* updating non-ecs

* Apply suggestion from @terrancedejesus
 2026-04-06 09:40:21 -04:00
shashank-elastic 199a4d6160 Monthly Manifest and Schema Updation (#5920) 2026-04-06 17:35:33 +05:30
github-actions[bot] d9890db6ff Lock versions for releases: 8.19,9.1,9.2,9.3 (#5888) 
* Locked versions for releases: 8.19,9.1,9.2,9.3

* Update pyproject.toml

---------

Co-authored-by: Mikaayenson <Mikaayenson@users.noreply.github.com>
 2026-03-26 12:31:50 -05:00
Terrance DeJesus cd19b25485 [New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme (#5878) 
* [New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme
Fixes #5877

* adding microsoft_exchange_online_message_trace to manifests/schemas; bumping patch

* updated mitre

* Update rules/integrations/microsoft_exchange_online_message_trace/initial_access_azure_monitor_callback_phishing_email.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* bumping patch

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2026-03-26 10:50:15 -05:00
Eric Forte 75ffa5ec4e [FR] [DaC] Add fine-grained bypass env var for ES|QL keep and metadata validation (#5869) 
* Add fine grain 'keep' req bypass

* Add metadata bypass
 2026-03-24 14:36:45 -04:00
github-actions[bot] b14dec9efa Lock versions for releases: 8.19,9.1,9.2,9.3 (#5875) 2026-03-23 23:45:25 +05:30
Mika Ayenson, PhD ade7de7be4 [New Rules] External Promotion Alert for IBM QRadar (#5843) 2026-03-20 14:42:43 -05:00
Ruben Groenewoud 8b140d5811 [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules (#5837) 
* [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules

* ++

* Bump pyproject.toml

* Bump pyproject.toml
 2026-03-17 17:28:47 +01:00
Terrance DeJesus 937a7a35e6 [New Rule] Azure Arc Kubernetes Cluster Connect Abuse (#5824) 
* [New Rule] Azure Arc Kubernetes Cluster Connect Abuse
Fixes #5823

* rename, adjusted query

* adding KEEP *

* adjusting maturity

* added to non-ecs schema

* updating rule

* addressing unit test failures

* adjustments to logic, mitre mappings, unit test failures, etc.

* Update rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-03-17 11:06:47 -04:00
Mika Ayenson, PhD 49c9c283e6 [FR] Reset deprecated lock to the latest state during lock (#5827) 2026-03-16 17:04:56 -05:00
github-actions[bot] 61211a2670 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5820) 2026-03-10 18:49:55 +05:30
github-actions[bot] 87badac5a0 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5818) 2026-03-10 15:33:16 +05:30
shashank-elastic e08f234b1c Monthly Manifest and Schema Updation (#5816) 
* Monthly Manifest and Schema Updation

* Update Patch Version
 2026-03-09 08:15:06 -05:00
Terrance DeJesus 5ecbc0f0b9 [New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access (#5777) 
* [New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access
Fixes #5776

* adjusting UUIDs

* added additional strings

* adjusted investigation guide

* fixed mitre mappings

* fixed mitre mappings

* Apply suggestion from @terrancedejesus
 2026-02-26 14:29:14 -05:00
Terrance DeJesus 71c461d867 [New Rule] M365 MFA Notification Email Deleted or Moved (#5779) 
* [New Rule] M365 MFA Notification Email Deleted or Moved
Fixes #5778

* updated non-ecs

* adjusted rule name

* Apply suggestion from @terrancedejesus
 2026-02-26 13:21:08 -05:00
Terrance DeJesus 8593116f58 [New Rule] Okta User Authentication via Proxy Followed by Security Alert (#5752) 
* [New Rule] Okta User Authentication via Proxy Followed by Security Alert
Fixes #5751

* adjusted to EQL

* fixed syntax

* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* removed defense evasion; adjusted maxspan to 30m

* removed Okta tag

* adding Okta back as integration tag

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2026-02-26 11:32:25 -05:00
Terrance DeJesus 04ad018f27 [Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads (#5767) 
* [Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads
Fixes #5766

* updated non-ecs

* fixing keep command
 2026-02-26 10:38:59 -05:00
github-actions[bot] 92a379e034 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5765) 2026-02-24 18:49:27 +05:30
Terrance DeJesus f773103519 [Rule Tuning] Entra ID Federated Identity Credential Persistence Detection (#5702) 
* [Rule Tuning] Entra ID Federated Identity Credential Persistence Detection
Fixes #5701

* updated mitre mapping ID

* adjusted mitre mappings; non-ecs schema file

* fixed trailing comma in non-ecs; adjusted file name

* adjusted file name; fixed non-ecs schema for upstream ESQL validation

* Apply suggestion from @terrancedejesus

* Apply suggestion from @terrancedejesus

* changed lookback to 9 minutes; adjusted keep values

* added setup; added tag
 2026-02-19 15:58:12 -05:00
Terrance DeJesus 63f76cf004 [Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client (#5681) 
* [Rule Tuning] Transform Dormant SharePoint Rule to Detect OAuth Phishing
Fixes #5680

* adjusted query format for unit test; added additional domain tag for storage

* Apply suggestion from @terrancedejesus

* Fix formatting in non-ecs-schema.json

* adjusted description

* re-order mappings
 2026-02-19 10:09:15 -05:00
Terrance DeJesus 62cc9f105d [Rule Tuning] Okta User Assigned Administrator Role (#5671) 
Fixes #5670
 2026-02-12 09:33:25 -05:00
github-actions[bot] df9c27d82e Lock versions for releases: 8.19,9.1,9.2,9.3 (#5708) 2026-02-10 11:14:23 +05:30
shashank-elastic 70d7f2b6b1 Monthly Manifest and Schema Updation (#5697) 2026-02-10 09:17:04 +05:30
Ruben Groenewoud 64a08cd6af [New Rules] Misc. K8s RBAC Abuse Rules (#5673) 
* Updated kubernetes.audit.requestObject.spec.containers.image type of text to Keyword

* [New Rules] Misc. K8s RBAC Abuse Rules

* --

* Update non-ecs-schema

* Update to make unit tests happy

* Mitre mapping updates

* Fix query logic for service account role bindings

* Fix formatting in persistence_service_account_bound_to_clusterrole rule
 2026-02-05 17:42:03 +01:00
Samirbous 362c459094 [New] Multiple Machine Learning Alerts by Influencer Field (#5660) 
* [New] Multiple Machine Learning Alerts by Influencer Field

This rule uses alerts data to determine when multiple different machine learning alerts involving the same influencer field are triggered. Analysts can use this to prioritize triage and response, as these entities are more likely to be more suspicious.

* Update multiple_machine_learning_jobs_by_entity.toml

* Update multiple_machine_learning_jobs_by_entity.toml

* Update non-ecs-schema.json

* Update multiple_machine_learning_jobs_by_entity.toml

* Update non-ecs-schema.json
 2026-02-04 12:25:59 +00:00
Ruben Groenewoud c455d3d98a [Rule Tuning] Full Kubernetes Ruleset (#5659) 
* [Rule Tuning] Full Kubernetes Ruleset

* ++

* Update manifests & schemas

* Update pyproject.toml

* Added "kubernetes.audit.userAgent" to non_ecs

* Updated kubernetes.audit.requestObject.spec.containers.image of type text to Keyword

* Apply suggestion from @Aegrah

* Apply suggestion from @Aegrah

* Update privilege_escalation_pod_created_with_hostnetwork.toml

* Apply suggestion from @Aegrah

* Update privilege_escalation_pod_created_with_hostipc.toml

* Apply suggestion from @Mikaayenson

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* ++

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-02-04 10:42:41 +01:00
github-actions[bot] 8b8c0beec7 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5639) 2026-01-28 18:37:52 +05:30
Eric Forte 070b457659 Test remote_cli update test indices 2026-01-27 20:08:19 +05:30
Eric Forte 7ff19b3497 [Rule Tuning] Accepted Default Telnet Port Connection (#5629) 
* Add Additional Data Sources
 2026-01-26 20:43:23 -05:00
Samirbous 42e7f3b4ce [New] Multiple Alerts on a Host Exhibiting CPU Spike (#5621) 
* [New] Multiple Alerts on a Host Exhibiting CPU Spike

This rule correlates multiple security alerts from a host exhibiting unusually high CPU utilization within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.

* Update multiple_alerts_on_host_with_cpu_spike.toml

* Rename multiple_alerts_on_host_with_cpu_spike.toml to impact_alerts_on_host_with_cpu_spike.toml

* Update impact_alerts_on_host_with_cpu_spike.toml

* Update rules/cross-platform/impact_alerts_on_host_with_cpu_spike.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update non-ecs-schema.json

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 20:42:20 +00:00
Samirbous 094f907144 [New] Detection Alert on a Process Exhibiting CPU Spike (#5617) 
* [New] Detection Alert on a Process Exhibiting CPU Spike

This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution, or abuse of system resources following initial compromise.

* Update securityt_alert_from_a_process_with_cpu_spike.toml

* Update securityt_alert_from_a_process_with_cpu_spike.toml

* Update rules/cross-platform/securityt_alert_from_a_process_with_cpu_spike.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Rename securityt_alert_from_a_process_with_cpu_spike.toml to security_alert_from_a_process_with_cpu_spike.toml

* Update security_alert_from_a_process_with_cpu_spike.toml

* Rename security_alert_from_a_process_with_cpu_spike.toml to impact_alert_from_a_process_with_cpu_spike.toml

* Update impact_alert_from_a_process_with_cpu_spike.toml

* Update non-ecs-schema.json

* Update rules/cross-platform/impact_alert_from_a_process_with_cpu_spike.toml

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2026-01-26 17:42:31 +00:00
Samirbous 6d9eef48b0 [New] Multiple Vulnerabilities by Asset via Wiz (#5598) 
* [New] Wiz - Multiple Vulnerabilities by Container

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* add wiz manif and schema

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* Update pyproject.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* ++

* Update external_alerts.toml

* Update multiple_vulnerabilities_wiz_by_container.toml

* Delete detection_rules/etc/integration-manifests.json.gz

* Revert "add wiz manif and schema"

This reverts commit a1e9e7440dcb46ea2abebec834cfc0291e3b60ae.

* Revert "Update pyproject.toml"

This reverts commit 47ab9d2dc8239207126b8512006f353a3fd4affc.

* update manifest and schema for wiz
 2026-01-26 17:26:17 +00:00
Ruben Groenewoud c5b64c9fbf [New/Tuning] General API Abuse D4C/K8s Rules (#5591) 
* [New/Tuning] General API Abuse D4C/K8s Rules

* [New Rule] DNS Enumeration Detected via Defend for Containers

* [New Rule] Tool Enumeration Detected via Defend for Containers

* [New Rule] Tool Installation Detected via Defend for Containers

* Service Account File Reads

* [New Rule] Direct Interactive Kubernetes API Request Detected via Defend for Containers

* Rule name update

* [New Rules] D4C K8S MDA API Request Rules

* Add 'tor' to the list of allowed process args

* ++

* ++

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update description

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/cloud_defend/execution_tool_installation.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-26 16:59:14 +01:00
Ruben Groenewoud fe4418d7f5 [New Rules] Reintroduction of Defend for Containers (D4C) Ruleset (#5561) 
* [New Rules] Reintroduction of Defend for Containers (D4C) Ruleset

* ++

* Removed Reintroduced Rules from Deprecated Folder

* Updated Rule Names

* Added maturity field

* [Update] Large D4C Compatibility Overhaul

* Added busybox

* Remove file that was accidently added in this PR

* Creation date revert

* ++

* Update pyproject.toml

* ++

* ++

* Update

* Update schemas/manifests

* ++
 2026-01-26 16:37:34 +01:00
Mika Ayenson, PhD bbe83452b4 Revert "[Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578)" (#5620) 
This reverts commit c608b673bf.
 2026-01-26 08:31:53 -06:00
Ruben Groenewoud c608b673bf [Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules (#5578) 
* [Rule Tuning] Adding D4C Compatibility to Compatible K8s-related Rules

* Update manifests & schemas

* [New/Updated] Migrated `process.command_line` --> `process.args` for Compatibility

* Pyproject.toml Patch

* ++
 2026-01-26 13:28:08 +01:00
github-actions[bot] e5291f455c Lock versions for releases: 8.19,9.1,9.2,9.3 (#5553) 2026-01-12 23:52:08 +05:30
shashank-elastic 1ce072a4e5 Prep for Release 9.3 (#5548) 2026-01-12 21:07:07 +05:30
Samirbous 7c36743ce6 [New] Multiple Alerts in Same ATT&CK Tactic by Host (#5550) 
* [New] Multiple Alerts in Same ATT&CK Tactic by Host

This rule uses alert data to determine when multiple alerts in the same phase of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_alerts_same_tactic_by_host.toml

* Update rules/cross-platform/multiple_alerts_same_tactic_by_host.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update non-ecs-schema.json

* Update multiple_alerts_same_tactic_by_host.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2026-01-12 14:19:51 +00:00
Ruben Groenewoud 34daf12d51 [New Rules] Several GitHub Related Rules (#5470) 
* [New Rules] Several GitHub Related Rules

* Added additional references

* Update defense_evasion_secret_scanning_disabled.toml

* Update persistence_new_pat_created.toml

* Added two more rules

* ++

* Update rules/integrations/github/impact_github_repository_activity_from_unusual_ip.toml

* Added github.repository_public to non_ecs

* Update impact_github_repository_activity_from_unusual_ip.toml

* Update rules/integrations/github/impact_high_number_of_failed_protected_branch_force_pushes_by_user.toml

* ++

* Update rules/integrations/github/exfiltration_high_number_of_cloning_by_user.toml

* Update rules/integrations/github/impact_high_number_of_closed_pull_requests_by_user.toml

* Update rules/integrations/github/impact_high_number_of_protected_branch_force_pushes_by_user.toml

* ++

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2026-01-08 17:19:12 +01:00
Samirbous 30883ab9c0 [New] React2Shell Network Security Alert (#5445) 
* [New] React2Shell Network Security Alert

KQL query that reports network security signatures for React2Shell from 4 integrations (Suricata, Fortigate, Cisco FTD and PANW).

* Update initial_access_react_server_rce_network_alerts.toml

* cisco_ftd schema

 build-schemas -i cisco_ftd

* Update initial_access_react_server_rce_network_alerts.toml

* Update pyproject.toml

* Update rules/network/initial_access_react_server_rce_network_alerts.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update pyproject.toml

* Revert "cisco_ftd schema"

This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2.

* cisco_ftd schema and manifest

* Update pyproject.toml

* Revert "cisco_ftd schema and manifest"

This reverts commit ff2200f70f0e0cf94864c49fe8e8a13fda930bc9.

* Revert "Update pyproject.toml"

This reverts commit d382fcdaaa992cac2d4370f5656f81c530b6ec5a.

* Reapply "cisco_ftd schema"

This reverts commit 1494d4aa3e4f07cebd448fcc2597b4c836a989db.

* Revert "Update pyproject.toml"

This reverts commit 39e1f5e9e34cc0500bd82bc4662ece259a5234ba.

* Revert "cisco_ftd schema"

This reverts commit c97cf58b2180b3c13c29e3901b2a03bfd12463a2.

* ++

* Update pyproject.toml

* integration_cisco_ftd

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-12-19 12:22:44 +00:00
Terrance DeJesus f43bf99698 [New Rule] GitHub Actions Workflow Injection Blocked (#5433) 
* [New Rule] GitHub Actions Workflow Injection Blocked
Fixes #5431

* adjusts MITRE ATT&CK mappings

* adjusting file name

* updating GitHub integration schema; fixed MITRE mappings

* revert manifests / schemas to main

* added dynamic github fields to non-ecs file

* Update rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* changed github actor ID reference

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-17 14:29:33 -05:00
Samirbous 6ac69db7ba [Tuning] Elastic Defend and Email Alerts Correlation (#5459) 
* [Tuning] Elastic Defend and Email Alerts Correlation

this rule uses the logs-* generic index, which causes failures on clusters without an email related integration with `destination.user.name` populated.  for now limiting the rule to checkpoint email security and we can add more or users can customize it by adding more indexes.

* add checkpoint_email manifest and schema

* Update pyproject.toml

* Update multiple_alerts_email_elastic_defend_correlation.toml
 2025-12-15 15:33:10 +00:00
github-actions[bot] 793ecfe34a Lock versions for releases: 8.19,9.0,9.1,9.2 (#5426) 2025-12-09 00:29:19 +05:30
shashank-elastic 58a514340b December Schema Refresh (#5420) 2025-12-08 22:07:46 +05:30
Mika Ayenson, PhD f40a383b7e [New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2025-12-05 12:26:56 -06:00
Terrance DeJesus 61c9344677 [Rule Tuning] M365 OneDrive Excessive File Downloads with OAuth Token (#5365) 
* [Rule Tuning] M365 OneDrive Excessive File Downloads with OAuth Token
Fixes #5361

* adding keep operation

* updating non-ecs
 2025-12-03 14:13:35 -05:00