security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
675 Commits 1 Branch 0 Tags
fd0eee4cc07135545e5e2e0c2c044b28a8e02f03
Commit Graph

675 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Justin Ibarra fd0eee4cc0 Add new ECS and beats schemas (#1303) 
(cherry picked from commit 1099f181f9)
 2021-06-23 22:08:39 +00:00
Austin Songer 102b9ff7d5 [New Rule] AWS RDS Security Group Created (#1260) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
(cherry picked from commit 8e451f2318)
 2021-06-23 00:15:15 +00:00
Austin Songer 6fd6bb1712 [New Rule] AWS RDS Security Group Deleted (#1261) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
(cherry picked from commit fe14cd23ed)
 2021-06-23 00:09:32 +00:00
Austin Songer 7749086f3b [New Rule] AWS RDS Instance Creation (#1269) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
(cherry picked from commit 9d4574b267)
 2021-06-23 00:03:06 +00:00
Austin Songer 78c75d71b0 [New Rule] AWS RDS Snapshot Export (#1270) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
(cherry picked from commit ccae1dc841)
 2021-06-22 23:58:29 +00:00
Austin Songer 4823a40d19 [Rule Tuning] Potential password spraying of microsoft 365 user accounts (#1164) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit c215c44809)
 2021-06-22 17:36:32 +00:00
Ross Wolf ba5f3eed82 Switch from process.ppid to process.parent.pid (#1255) 
* Switch from process.ppid to process.parent.pid
* Bump updated date
* Bump updated date

(cherry picked from commit 31f63e728e)
 2021-06-22 15:10:59 +00:00
Brent Murphy 549cc9992d [Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account (#1251) 
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* add authors

(cherry picked from commit d8ef9a81ef)
 2021-06-22 14:39:09 +00:00
Brent Murphy c493c5df67 Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml (#1225) 
(cherry picked from commit a8c9d7174f)
 2021-06-22 14:22:18 +00:00
Austin Songer 74132fbbe9 [New Rule] AWS Route 53 Domain Transferred to Another Account (#1198) 
(cherry picked from commit ea9a23af8d)
 2021-06-22 06:09:14 +00:00
Austin Songer 10d22d9477 [New Rule] AWS Route 53 Domain Transfer Lock Disabled (#1197) 
(cherry picked from commit 2cadee1718)
 2021-06-22 06:06:10 +00:00
Austin Songer b8a3f43b99 [New Rule] EC2 Full Network Packet Capture Detected (#1175) 
(cherry picked from commit d7e0e37e54)
 2021-06-22 06:01:05 +00:00
Austin Songer 3996e94bfd [New Rule] Azure Service Principal Credentials Added (#1169) 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
(cherry picked from commit 6986f28af6)
 2021-06-22 05:50:17 +00:00
Ross Wolf 045d928daf Lock versions for 0.13.1 package 2021-06-17 12:38:27 -06:00
Ross Wolf 1f5820be76 Bump package version to 0.13.1 2021-06-17 07:23:50 -06:00
Ross Wolf 6fca31c5de Fix fleet package generation (#1296) 
* Fix fleet package generation
* Add .lstrip()
* Lint fix
* Add newline

(cherry picked from commit e897a67604)
 2021-06-17 12:16:27 +00:00
Ross Wolf 98cb7b00cc Simplify version locking code and fix 7.13.0 lock (#1295) 
* Update version lock overwrite command
* Fix tooling and restore old version lock
* Lint fix
* Fix tests
* Remove dead code
* Filter to prod+deprecated rules
* Cast set -> list
* Store deprecation info
* Add correct version.lock.json (finally)
* Fix "stack_version" typo
* Remove stack_version
* Back out main.py changes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit f6839e98d1)
 2021-06-17 00:03:05 +00:00
Justin Ibarra 18765631fb Fix rules which were note using v2 license (#1291) 
(cherry picked from commit e0fa25ae8e)
 2021-06-16 14:21:50 +00:00
Ross Wolf 915c2dea2a [Bug] Fix ML job IDs that used hyphens (#1287) 
* Fix ML job IDs that used hyphens
* Update ml_high_count_network_denies.toml
* Update ml_spike_in_traffic_to_a_country.toml
* Set updated_date

(cherry picked from commit 49cb2e8dbf)
 2021-06-15 17:41:04 +00:00
David French fb93735c0f [Rule Tuning] Attempts to Brute Force an Okta User Account (#1216) 
* update rule.threshold field value

* add rule authors

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
(cherry picked from commit 177cfc85bf)
 2021-06-15 16:08:09 +00:00
Apoorva Joshi cce7c126b6 Updating rules to query v2 (#1254) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
(cherry picked from commit 1f7c88c6f4)
 2021-06-15 14:21:09 +00:00
Ross Wolf 1fd625d650 [Fleet] Update template and packaging code for fleet packages (#1280) 
* Update template and packaging code for fleet packages
* Fix linting

(cherry picked from commit 61e5b44c44)
 2021-06-15 13:55:09 +00:00
Brent Murphy 683621fe62 [Rule Tuning] Update network rule address blocks (#1227) 
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 12577f7380)
 2021-06-15 13:23:16 +00:00
Austin Songer 3d6cefb296 [Rule Tuning] Attempts to brute force a microsoft 365 user account (#1163) 
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 546e43071c)
 2021-06-15 13:20:40 +00:00
Brent Murphy 8b3d085f73 Update persistence_suspicious_com_hijack_registry.toml (#1244) 
(cherry picked from commit 13bf55480a)
 2021-06-14 13:00:39 +00:00
Ross Wolf ecbfb8b572 Add KQL support for additional ES field types (#1247) 
(cherry picked from commit c98398f1ef)
 2021-06-11 04:30:25 +00:00
Austin Songer 5d41f2719a [New Rule] AWS EC2 VM Export Failure (#1142) 
* New Rule: AWS EC2 VM Export Failure

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

* Update exfiltration_ec2_vm_export_failure.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
(cherry picked from commit 6b45186827)
 2021-06-09 19:03:56 +00:00
Brent Murphy 1eb36b1a9e [New Rule] Modification of AmsiEnable Registry Key (#1248) 
* Create defense_evasion_amsienable_key_mod.toml

(cherry picked from commit fce022c275)
 2021-06-07 17:21:36 +00:00
Ross Wolf cc6cc6bd3e Lock the versions from 7.13.0 (#1256) 
(cherry picked from commit 90c6f24e8f)
 2021-06-04 22:15:47 +00:00
Apoorva Joshi 30644d0d6a Update problem-child.md (#1253) 
(cherry picked from commit 8bb7218e38)
 2021-06-03 19:47:15 +00:00
Justin Ibarra 14349b342d Refactor experimental ML CLI and code (#1218) 
* move github and ml to their own files
* refactor release and ml commands
* update ML readmes
* add unzip_to_dict function
* prompt for model ID in remove-model
* update experimental rule upload process
* update remove-scripts-pipelines to take multiple options

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Apoorva <appujo@gmail.com>
(cherry picked from commit 0ec8d67e78)
 2021-06-03 04:37:34 +00:00
Justin Ibarra 057d29a8d2 Fix create-rule bug (#1246) 
(cherry picked from commit e46f5e96d3)
 2021-06-01 16:31:59 +00:00
Brent Murphy f91e0facea Update privilege_escalation_persistence_phantom_dll.toml (#1228) 
(cherry picked from commit 6626cbb943)
 2021-06-01 13:29:25 +00:00
Brent Murphy f9805954ee [New Rule] Unusual Network Connection via DllHost (#1232) 
* Create defense_evasion_unusual_network_connection_via_dllhost.toml
* add timestamp override

(cherry picked from commit c457614e37)
 2021-05-28 19:09:26 +00:00
Brent Murphy acfca54f73 [New Rule] Suspicious Execution from a Mounted Device (#1230) 
* Create defense_evasion_suspicious_execution_from_mounted_device.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 31e8d03438)
 2021-05-28 18:44:24 +00:00
Ross Wolf 4088f6b544 Add a command to create a Kibana PR (#1208) 
* Add a command to create a Kibana PR
* Reformat code
* Fix docstring whitespace
* Make a hidden token prompt
* Fix E501

(cherry picked from commit b0270d059f)
 2021-05-17 20:57:38 +00:00
Austin Songer fcd29373d5 [Rule Tuning] High Number of Okta User Password Reset or Unlock Attempts (#1200) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 58ea49b092)
 2021-05-14 20:05:56 +00:00
Ross Wolf afa6f1b541 Update backport.yml (#1205) 
(cherry picked from commit a940c10ead)
 2021-05-13 22:55:10 +00:00
Ross Wolf 79cd81288a Port historical schemas to jsonschema (#1084) 
* Port historical schemas to jsonschema
* Add marshmallow-json dependency
* Mark etc/api_schemas as binary
* Remove gitattributes attempt
* Lint fix
* Apply PR feedback
* Additional PR feedback
* Extract stack version from packages.yml
* Fix the backport schemas
* Cache the schema reads
* Add migration for #1167
* Make a separate 'migration not found' error

(cherry picked from commit eb40c52c7c)
 2021-05-13 20:27:47 +00:00
Brent Murphy 88fda20b78 [Bug] Update main.py to fix toml-lint (#1202) 
(cherry picked from commit e40276c12b)
 2021-05-13 15:43:30 +00:00
Justin Ibarra 138e410a06 Cleanup note field in rules (#1194) 
* standardize usage of note field

(cherry picked from commit 6ef5c53b0c)
 2021-05-10 21:41:23 +00:00
Ross Wolf 9ac3de7c82 Retrieve branch history of main in backport job 
(cherry picked from commit 60f5168f07)
 2021-05-06 23:17:30 -06:00
Ross Wolf c11a07316c Disable persist-credentials from checkout job (#1187) 
* Disable persist-credentials from checkout job
* Set the token at the checkout stage

(cherry picked from commit 700c63d7d5)
 2021-05-07 05:15:48 +00:00
Ross Wolf 342c35766d Use @protectionsmachine to push backports (#1186) 
(cherry picked from commit a33e943591)
 2021-05-07 05:14:02 +00:00
Ross Wolf 00b479cb33 Fix backport job webhook + push (#1185) 
(cherry picked from commit f3f344018b)
 2021-05-06 21:40:05 -06:00
Ross Wolf 67febf3b45 Add job for 'backport: auto' labeled PRs (#1174) 
* Add job for 'backport: auto' labeled PRs

* Limit the job to sequential only

* Fix delayed labels and use the right commit

* Add slack webhook integration

(cherry picked from commit 2ceb5b52c9)
 2021-05-06 21:39:54 -06:00
Justin Ibarra a623e34a9e Fix rule filenames during packaging (#1158) 2021-05-05 11:30:46 -08:00
Justin Ibarra 16b2761415 Allow ML rules to accept a single or array of job IDs (#1167) 2021-05-05 08:58:28 -08:00
Justin Ibarra 82ec6ac1ee Convert windows rules from KQL to EQL (#1114) 2021-04-30 11:21:12 -08:00
Andrew Pease 92eaa5b18a [New Rule] Threat intel indicator match rule (#1133) 2021-04-26 07:07:04 -05:00