security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,828 Commits 1 Branch 0 Tags
dev-v1.2.13
Commit Graph

128 Commits

Author SHA1 Message Date
Eric Forte 5b3dac0a14 [FR] Add Ability to Filter Rule Exports from Kibana (#4783) 
* Add ability to filter on custom rules and filter exports
 2025-06-09 12:21:15 -04:00
github-actions[bot] 4cf3d28367 Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4758) 2025-06-02 21:53:59 +05:30
github-actions[bot] 8a829d1503 Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4756) 2025-06-02 20:44:01 +05:30
shashank-elastic 89fe4c977c Refresh Integration Manifest & Schema (#4755) 2025-06-02 20:14:43 +05:30
Sergey Polzunov 2cc81fc0cb fix: Making github lib a main dependency (#4744) 
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-05-28 10:35:31 +02:00
github-actions[bot] 72ec8199ae Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4732) 2025-05-20 08:26:21 +05:30
github-actions[bot] 5832aec32b Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4731) 2025-05-20 07:44:22 +05:30
shashank-elastic 43cdc7ff51 Refresh MITRE version (#4729) 2025-05-19 22:49:33 +05:30
Emmanuel Ferdman 2ad2d68c4a Resolve datetime.utcfromtimestamp deprecation (#4719) 2025-05-19 21:35:07 +05:30
Terrance DeJesus 8f27c24528 [New Rule] Suspicious Email Access by First-Party Application via Microsoft Graph (#4704) 
* new rule 'Suspicious Email Access by First-Party Application via Microsoft Graph'

* updated patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-05-09 20:49:08 -04:00
github-actions[bot] acab8b4c6e Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4703) 2025-05-07 07:34:20 +05:30
github-actions[bot] 69498a97ac Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4702) 2025-05-06 23:12:56 +05:30
Eric Forte 639d748ec2 [FR] Add check-version-lock dev command (#4650) 
* Add check-version-lock dev command

* Bump the version

* Add Check Double Bumps to lock-versions workflow

* Replace return with ctx aware exit

* Bump Version

* Update Double Bump Modulo calculation

* Update if formatting

* Undo formatting typo

* Add logic to process the local file

* Update for descriptiveness

* Allow double bump branch for testing

* Pass github token

* Re-restrict to main

* Patch version bump

* Add comment if no double bumps found

* Bump Version
 2025-05-06 13:26:23 -04:00
shashank-elastic e4856d3c2c Refresh ecs, beats, integration manifests & schemas (#4699) 2025-05-05 23:06:40 +05:30
shashank-elastic b3adc6d3ea Deprecate Experimental ML command (#4669) 2025-05-02 21:01:46 +05:30
Samirbous dddc2a7bb9 [New] Microsoft 365 OAuth Redirect to Device Registration for User (#4694) 
* [New] Microsoft 365 OAuth Redirect to Device Registration for User Principal

https://github.com/elastic/ia-trade-team/issues/590

* Update non-ecs-schema.json

* Update pyproject.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* fixed investigation guide formatting; fixed unit test failure

* updated patch version

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-05-02 08:36:10 +01:00
Terrance DeJesus bae7835f6a [New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client (#4642) 
* new rules for MSFT Oauth phishing in Azure, Entra and Microsoft 365

* changed m365 file name

* fixed duplicate tactics

* updaing non-ecs for graph activity logs

* updating rules; investigation guides; formatting, linting errors
 2025-05-01 22:38:41 -04:00
Sergey Polzunov ba959f2ceb fix: Fixing leftover references to sha256 method (#4690) 
* Fixing missed old method name usage

* Patch version bump
 2025-04-30 20:34:15 +02:00
github-actions[bot] fc1e6145cc Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4679) 2025-04-30 18:11:35 +05:30
Sergey Polzunov d72cb92d59 Bringing back "fix: Cleaning up the hashable content for the rule" (#4621) (#4668) 2025-04-28 21:59:55 +05:30
shashank-elastic 97e6d8b706 Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4665) 2025-04-25 20:35:09 +05:30
Sergey Polzunov 191396e5e8 Version bump (#4655) 2025-04-24 13:19:36 -04:00
Sergey Polzunov b7a324b2e8 Revert "fix: Cleaning up the hashable content for the rule (#4621)" (#4654) 
This reverts commit 80c4f7eacc.
 2025-04-24 19:05:17 +02:00
Sergey Polzunov 80c4f7eacc fix: Cleaning up the hashable content for the rule (#4621) 2025-04-24 14:33:26 +05:30
github-actions[bot] 70062c3991 Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4649) 2025-04-24 07:12:12 +05:30
shashank-elastic 54fadc8e2e Add 8.18 and 9.0 beats schemas (#4641) 2025-04-24 05:36:45 +05:30
Terrance DeJesus bbfc026c95 [New Hunt] New Hunting Queries for DPRK ByBit (#4644) 
* new hunting queries for macOS DPRK

* added docker hunting queries
 2025-04-23 16:41:23 -04:00
Samirbous ea31143b83 [New] Suspicious Azure Sign-in via Visual Studio Code (#4639) 
* Create initial_access_entra_login_visual_code_phish.toml

* Update non-ecs-schema.json

* Update initial_access_entra_susp_visual_code_signin.toml

* Update pyproject.toml

* Update initial_access_entra_susp_visual_code_signin.toml

* Update non-ecs-schema.json
 2025-04-23 14:06:05 +01:00
Jonhnathan 364d9dd3bc [New Rule] Threat Intel Email Indicator Match (#4598) 
* [New Rule] Threat Intel Email Indicator Match

* Update threat_intel_indicator_match_email.toml

* Update pyproject.toml

* Adds IG

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/threat_intel/threat_intel_indicator_match_email.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-04-22 12:15:36 -03:00
Eric Forte 62feac3348 [Bug] Update Schema Prompt to include new_terms_fields (#4567) 
* Update Schema Prompt to include new_terms_fields

* Version Bump

* Ensure list of strings

* Update utils to support comma deliminated strings

* Also remove excess quotes

* Bump patch version

* Remove Union

* bump version
 2025-04-17 10:45:51 -04:00
Frederik Berg 6cb238bedb [Enhancement] Add flag to export rules via KQL search on name (#4594) 
* Add flag to export rules via KQL search on name

* Add KQL to help text

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

* version patch bump

* flake8 trimming

* pyproject bump

* Bump version

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2025-04-16 18:40:46 -04:00
Frederik Berg 9b682b752c Feature exclude tactic name (#4593) 
* Added new cli flag to exclude tactic name in rule file name

* added a shortcut for the flag and adjusted CLI readme

* Add no tactic flag also to import to prevent warnings

* Added info about unit test

* version bump

* Added no_tactic_filename as config option + fixed linting

* pyproject version bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2025-04-16 16:02:14 -04:00
Eric Forte 033c82858c [FR] Add Support for Local Dates Flag (#4582) 
* Add support for local dates flag

* Use two variables

* Add support for import-rules-to-repo

* Revert arg formatting

* Update comment

* Pass Rule Path as Path Object

* Update to rule loader function

* Streamline metadata function

* Also support dictionaries

* Bump patch version

* Reduce complexity

* Add if path exists check

* Fix version bump
 2025-04-16 15:41:09 -04:00
Terrance DeJesus ba16e27edb [Rule Tuning] Tuning Azure Service Principal Credentials Added (#4570) 
* tuning 'Azure Service Principal Credentials Added'

* updated patch version

* added investigation guide

* updating patch version

* updating patch version
 2025-04-16 13:58:17 -04:00
Terrance DeJesus 1a6669e5a6 [Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User (#4562) 
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'

* updated MITRE ATT&CK mappings

* updated index target

* updated patch version

* updating patch version

* bumping patch version

* updating patch version
 2025-04-16 12:21:41 -04:00
Eric Forte ea7de8230c [FR] Add Kibana Action Connector Error to Exception List Workaround (#4583) 
* Add error catch for workaround

* Switch to set for efficiency

* Patch version bump

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-04-15 09:18:50 -04:00
Eric Forte 108b64f0c2 [FR] Update Detection Rules MITRE Workflow to SHA Pin (#4581) 
* Update to pinned hash

* version bump
 2025-04-15 09:03:34 -04:00
github-actions[bot] fbddc2e659 Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4601) 2025-04-08 18:25:47 +05:30
github-actions[bot] 51826ed32f Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4571) 2025-03-27 09:42:15 +05:30
shashank-elastic 2b3095a13c Update Max signals value to supported limits (#4556) 2025-03-27 09:02:25 +05:30
shashank-elastic e8c54169a4 Prep main for 9.1 (#4555) 
* Prep for Release 9.1

* Update Patch Version

* Update Patch version

* Update Patch version
 2025-03-26 11:04:14 -04:00
Eric Forte 2d2c5b4d88 [Bug] Update Custom Rules Markdown Location (#4565) 
* Update to custom-rules markdown location

* bump version

* Update link reference
 2025-03-26 10:00:52 -04:00
Sergey Polzunov 65170c394b fix: removing outdated code in Kibana client auth (#4495) 
* Simplify kibana session management

* Drop removed options from `kibana_args` set

* Style fix

* Patch version bump

* Bumping kibana lib version

* Relax CLI requirement, making `api_key` optional, to allow `help` to run
 2025-03-24 12:28:36 +01:00
Terrance DeJesus db78756062 [New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors (#4535) 
* new rules for AWS DynamoDB data exfiltration

* bumping patch version

* adjusting investigation guide

* updating patch version

* updating patch version

* updating patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-03-21 10:05:24 -04:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Eric Forte 5ccb7ed4af Min stack rules from 4516 (#4549) 2025-03-19 20:27:30 -04:00
Eric Forte 5b3dc4a4a7 Revert "Add new ML detection rules for Privileged Access Detection (#4516)" (#4548) 
This reverts commit 2ff8d1bb56.
 2025-03-19 20:08:08 -04:00
Kirti Sodhi 2ff8d1bb56 Add new ML detection rules for Privileged Access Detection (#4516) 
Add detection-rules for privileged access detection integration
 2025-03-19 11:02:28 -04:00
Eric Forte 40a97f719f Temporaily Disable Changed FIles Workflow (#4538) 
* Temporaily Disable Changed FIles Workflow

* bump version
 2025-03-14 23:42:48 -04:00
github-actions[bot] a64b6a39a7 Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4531) 2025-03-12 19:02:53 +05:30