security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,233 Commits 1 Branch 0 Tags
fcc8aaaf63ee8f736c4f6478de372c149889337a
Commit Graph

163 Commits

Author SHA1 Message Date
Eric Forte 47d7a3acaa [DaC] Beta Release (#3889) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2024-08-06 18:07:12 -04:00
github-actions[bot] f9717e71bb Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3961) 2024-08-06 19:37:36 +05:30
github-actions[bot] 823e8fd140 Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 (#3926) 2024-07-25 18:38:08 +05:30
shashank-elastic f3b0dc1954 Prep for next release 8.16 (#3919) 2024-07-24 11:19:56 -04:00
eric-forte-elastic baee89de9b Revert "Prep for next release 8.16 (#3914)" 
This reverts commit 4245a815d2.
 2024-07-23 14:06:04 -04:00
shashank-elastic 4245a815d2 Prep for next release 8.16 (#3914) 
* Prep for Release 8.16

* Add subscription

* Remove double subscription

* Formatting

* Formatting

* Revert Beaconing rules minstack and lock version
 2024-07-23 13:04:03 -04:00
Mika Ayenson 03c99d22d3 Revert "Prep for Release 8.16 (#3913)" 
This reverts commit 01135085f6.
 2024-07-23 09:50:04 -05:00
shashank-elastic 01135085f6 Prep for Release 8.16 (#3913) 2024-07-23 09:42:26 -05:00
George Papakyriakopoulos 80ac2794f2 [Rule BugFix] Google Workspace Oauth2 new app (#3436) 
* [Rule BugFix] Google Workspace Oauth2 new app

In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:

```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```

After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.

We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.

* [Rule BugFix] Google Workspace Oauth2 new app update (#3436)

In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:

```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```

After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.

We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-11 10:45:17 -04:00
github-actions[bot] 6a28881b5f Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3880) 2024-07-09 19:13:24 +05:30
ar3diu 5048bc26bd [Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 (#3806) 
* Add "by host.id" argument to the sequence command in the rule query.

* Update collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-07-03 10:39:15 -04:00
Terrance DeJesus 99a4d629c9 [New Rule] Entra ID Device Code Auth with Broker Client (#3819) 
* new rule 'Entra ID Device Code Auth with Broker Client'

* updated azure integration, non-ecs updated, rule date updated

* updates tags

* updated query to add Azure activity logs

* merging in main

* updated azure manifest and schemas

* updated azure manifest and schemas

* updated index map for summary and changelog

* removed string imports

* reverting packaging.py updates

* adjusted query

* adjusted query to be more optimized

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-07-01 10:31:26 -04:00
github-actions[bot] aef9fe8ec4 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3845) 2024-06-28 17:49:18 +05:30
Jonhnathan 54d5b442cf [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs (#3825) 
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs

* .

* Update integration-schemas.json.gz

* Fix integration manifests
 2024-06-26 11:06:27 -03:00
github-actions[bot] 6f43d1f535 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3821) 2024-06-25 17:58:37 +05:30
Terrance DeJesus 020ca4be24 [New Rule] Rapid7 Threat Command CVEs Correlation (#3718) 
* new rule 'Rapid7 Threat Command CVEs Correlation'

* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated threat index and tags

* changed 'indicator match' to 'threat match' for tags

* removed timeline

* updating integrations to match main

* re-adding rapid7 threat command integration manifest and schema

* reverting changes; removing timeline

* changed max signals to 10000

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-12 18:01:44 -04:00
github-actions[bot] e3a72c6c47 Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3778) 2024-06-11 20:57:01 +05:30
Ruben Groenewoud ec223a4a05 [New Rule] Suspicious File Modification (#3746) 
* [New Rule] Suspicious File Modification

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_suspicious_file_modifications.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Updates

* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-06-11 13:03:20 +02:00
shashank-elastic e357a2c050 Refresh MITRE Attack v15.1.0 (#3725) 2024-06-04 20:14:58 +05:30
github-actions[bot] 259bab7a5a Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 (#3716) 2024-05-29 19:48:22 +05:30
Terrance DeJesus 527f785a60 [New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599) 
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'

* updated rule name

* changed file name; added false-positive note

* changed rule UUID

* adjusted file name

* updated tags

* added investigation guide; updated query logic

* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* updated query and name

* updated query optimization

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2024-05-28 10:49:20 -04:00
shashank-elastic f73022b900 Package Manifest changes to add capabilities (#3706) 2024-05-23 15:46:35 -05:00
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704) 2024-05-23 00:45:10 +05:30
Mika Ayenson 2c3dbfc039 Revert "Back-porting Version Trimming (#3681)" 
This reverts commit 71d2c59b5c.
 2024-05-22 13:51:46 -05:00
shashank-elastic 71d2c59b5c Back-porting Version Trimming (#3681) 2024-05-23 00:11:50 +05:30
Jonhnathan d023ad66b1 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-05-20 09:50:57 -03:00
Mika Ayenson 79f575b33c [FR] Normalize yml ext to yaml (#3675) 2024-05-15 15:18:39 -05:00
github-actions[bot] f3585da503 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 (#3676) 2024-05-15 17:04:22 +05:30
shashank-elastic 50a8b52cd5 Prepare For Next Elastic Stack 8.15 (#3670) 2024-05-15 00:31:02 +05:30
Mika Ayenson 78837549e8 [FR] Bundle KQL & Kibana libs into base dependencies (#3662) 2024-05-13 14:29:03 -05:00
github-actions[bot] 84437bac03 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3650) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Bumping status checks

* undo bump

---------

Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2024-05-06 12:44:32 -04:00
github-actions[bot] ca78f550fd Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3630) 2024-04-30 18:06:01 +05:30
Justin Ibarra c567d3731a Refresh Kibana module with API updates (#3466) 
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-04-26 11:12:50 -06:00
github-actions[bot] 374f21fbc4 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3615) 2024-04-23 17:59:01 +05:30
Jonhnathan d0dfa479bb [Rule Tuning] Windows BBR Rule Tuning - 1 (#3579) 
* [Rule Tuning] Windows BBR Rule Tuning - 1

* Update non-ecs-schema.json

* Update rules_building_block/command_and_control_certutil_network_connection.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/collection_common_compressed_archived_file.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_dll_hijack.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-04-08 10:38:41 -03:00
Terrance DeJesus 0cb42983c1 updated to v14.0 mitre ATT&CK (#3289) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-04-05 14:30:23 -04:00
github-actions[bot] 8d5bd3b0f6 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3567) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-04-02 23:59:42 +05:30
github-actions[bot] eaf4658620 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: shashank-elastic <shashank-elastic@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-03-21 20:30:46 +05:30
Mika Ayenson 5c3523954e [FR] Update Python Dependency Versions (#3515) 2024-03-19 14:07:16 -05:00
github-actions[bot] bf3932f384 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3491) 2024-03-06 23:10:02 +05:30
shashank-elastic a4094df732 Prepare For Next Elastic Stack Minor Release (#3490) 2024-03-06 21:26:54 +05:30
github-actions[bot] 7815d23110 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3459) 2024-02-20 22:56:59 +05:30
github-actions[bot] 827dfa7327 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3431) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

* updated downloadable updates file to reconcile changes

* Removed spacing from downloadable updates file

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-02-06 14:48:33 -05:00
github-actions[bot] d093336125 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3402) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-01-23 16:36:55 -05:00
Isai 442435830f [New Rules] UEBA GItHub BBRs and Rules (#3174) 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-22 12:48:31 -05:00
github-actions[bot] f37d13f29b Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3358) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-01-02 12:25:33 -05:00
Samirbous 07b952b7bc [Tuning] Remote Scheduled Task Creation (#3337) 
* Update non-ecs-schema.json
* add timestamp override

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-14 16:39:52 -07:00
github-actions[bot] a39a52360a Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 (#3319) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-12 13:23:14 -05:00
Terrance DeJesus 93d71acb91 [New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265) 
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'

* updated non-ecs; linted rule; updated description

* adjusted interval and maxspan

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-12 10:31:45 -05:00
Eric Forte 90a2043bc4 [FR] 8.12 Release Preparation update Main Branch to 8.13 (#3313) 
* 8.12 Release Prep update Main Branch to 8.13

* Fix typo in integrations

* Updated Schemas
 2023-12-11 14:58:06 -05:00