sigma-rules

Author	SHA1	Message	Date
Eric Forte	a726da5e83	[Bug] [DAC] Custom Rules Filter Discrepancy on Stacks Upgraded to 8.18 (#4945 ) * Update Custom Rules KQL * Bump Patch Version * Update detection_rules/kbwrap.py Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com> * Use or instead of and * Bump patch version * Fix results len typo --------- Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com>	2025-08-05 09:42:25 -04:00
github-actions[bot]	c210a88b1f	Lock versions for releases: 8.18,8.19,9.0,9.1 (#4960 )	2025-08-04 22:37:59 +05:30
Mika Ayenson, PhD	80e44d0fb8	[Rule Tuning] AI4DSOC External Promotion Alerts (#4959 )	2025-08-04 11:27:00 -05:00
shashank-elastic	2c2b15368c	Update latest integration manifests and schema and investigation guides (#4957 )	2025-08-04 19:30:01 +05:30
Sergey Polzunov	ff46a7ab4a	fix: Allow different order of the metadata fields in ESQL queries (#4956 ) * Initial commit * Python project version bump	2025-08-02 02:26:39 +02:00
Jonhnathan	04ca2c8128	[New Rule] Unusual Web Config File Access (#4927 ) * [New Rule] Unusual Web Config File Access * Update credential_access_web_config_file_access.toml	2025-08-01 09:35:08 -03:00
Jonhnathan	3de9456197	[Rule Tuning] Script Execution via Microsoft HTML Application (#4950 )	2025-08-01 07:55:14 -03:00
Eric Forte	a9ad66935c	[FR] [DAC] Add Arbitrary File location Support for Local Creation Date (#4915 ) * Add support for local file contents * Update Rule Params * Update CLI docs * Update to Pathlib * Format updating * Delete duplicate * Update logic to handle just local_contents path * Update to Glob Based Approach * Updated to use RawRuleCollection * Fix Logging Typo * New utils functions no longer needed * Update naming for convention	2025-07-31 14:35:00 -04:00
Eric Forte	bf3071d3d1	[FR] Add white space checking for KQL parse (#3789 ) * Add whitespace checking for KQL parse * Add unit test for blank space check * Bump patch version * Add test cases for newline blank space * Add additional unit tests * Update to only walk tree once --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2025-07-31 14:23:53 -04:00
Mika Ayenson, PhD	1dc3926203	[New Rules] External Promotion Alerts (#4903 )	2025-07-31 11:00:50 -05:00
Mika Ayenson, PhD	f2fac1bc48	[FR] [DAC] Add existing mitre threat information on import (#4948 )	2025-07-31 09:44:09 -05:00
Terrance DeJesus	0e78ce360b	[Rule Tuning] Microsoft Azure or Mail Sign-in from a Suspicious Source (#4946 ) * change indices in ESQL query * adjusted rule name	2025-07-31 09:57:02 -04:00
Terrance DeJesus	756a7f49ba	[Rule Tuning] Microsoft Entra ID MFA TOTP Brute Force Attempts (#4937 ) * tuning rule 'Microsoft Entra ID MFA TOTP Brute Force Attempts' * adjusted logic	2025-07-29 09:24:20 -04:00
github-actions[bot]	f348e92f06	Lock versions for releases: 8.18,8.19,9.0,9.1 (#4926 )	2025-07-22 21:19:44 +05:30
Eric Forte	0cb1e596b3	[Bug] [DAC] Kibana Export Rules Rule Name Filter Exports All Rules (#4917 ) * Add check for not rule_id	2025-07-22 11:32:17 -04:00
shashank-elastic	64db33a50b	[Rule Tuning] Azure Key Vault Secret Key Usage by Unusual Identity (#4925 )	2025-07-22 20:22:31 +05:30
github-actions[bot]	3bec392e66	Lock versions for releases: 8.18,8.19,9.0,9.1 (#4924 )	2025-07-22 18:10:32 +05:30
Mika Ayenson, PhD	3b9e927ca8	[Rule Tuning] OIDC Discovery URL Changed in Entra ID (#4923 )	2025-07-22 17:31:45 +05:30
github-actions[bot]	b3c681e475	Lock versions for releases: 8.18,8.19,9.0,9.1 (#4922 )	2025-07-22 12:50:27 +05:30
shashank-elastic	2a73a572fb	Investigation guides Update (#4920 )	2025-07-22 07:52:48 +05:30
Ruben Groenewoud	5c901841a3	[New Rule] Potential Impersonation Attempt via Kubectl (#4833 ) * [New Rule] Potential Impersonation Attempt via Kubectl * ++ * Update defense_evasion_potential_kubectl_impersonation.toml	2025-07-21 10:03:03 +02:00
Isai	15d71a3e5c	[Rule Tuning] AWS EC2 AMI Shared with Another Account (#4914 )	2025-07-21 10:12:13 +05:30
Isai	7c45304672	[Rule Deprecated] Deprecated - AWS EC2 Snapshot Activity (#4913 ) Completing Deprecation process for AWS EC2 Snapshot Activity - It's been 2 rule releases since initial name change - changed maturity to deprecation - updated deprecation_date - moved file to _deprecated folder	2025-07-18 19:35:35 -04:00
Isai	b141ebcfa6	[Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules (#4892 ) * [Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules This PR is in part a response to the following issues regarding the future of flattened fields in AWS, which we use as an essential part of our ruleset. However, this is also in response to the ongoing ruleset audit. Some of the flattened fields used are not truly necessary for the alert to trigger or can be replaced by a different field. Those changes have been made here and our non_ecs file has been edited to remove the unnecessary fields. Additionally, flattened fields have been removed from highlighted fields, and from investigation guides. * Update discovery_ec2_userdata_request_for_ec2_instance.toml updated_date * Update execution_ssm_sendcommand_by_rare_user.toml updated_date * Update non-ecs-schema.json add necessary field for ModifyInstanceAttribute action * Update persistence_ec2_security_group_configuration_change_detection.toml added missing event.action AuthorizeSecurityGroupIngress, narrowed scope for ModifyInstanceAttribute action by adding a necessary flattened_field * Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml updated min_stack_version for new field target.entity.id * Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml * Update privilege_escalation_iam_update_assume_role_policy.toml updating min_stack to account of target.entity.id field * Update impact_s3_excessive_object_encryption_with_sse_c.toml adding highlighted fields * Update rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml * Apply suggestions from code review --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2025-07-18 19:15:36 -04:00
Terrance DeJesus	c2880afa06	[New Rule] OIDC Discovery URL Changed in Entra ID (#4908 ) * new rule OIDC Discovery URL Changed in Entra ID * added references * removed indexes * Update rules/integrations/azure/persistence_entra_id_oidc_discovery_url_change.toml * adjusted for ESQL standardization	2025-07-18 10:26:02 -04:00
Terrance DeJesus	a3a2fcdff5	[New Rule] Azure Key Vault Secret Key Usage by Unusual Identity (#4900 ) * new rule Azure Key Vault Secret Key Usage by Unusual Identity * added index * added non-ecs field * added azure.resource.name to new terms * Update rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml * adjusted new terms * Update rules/integrations/azure/credential_access_azure_key_vault_retrieval_from_rare_identity.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2025-07-18 10:01:45 -04:00
Terrance DeJesus	8e99bace44	[New Rule] External Authentication Method Addition or Modification in Entra ID (#4906 ) * new rule External Authentication Method Addition or Modification in Entra ID * added references * adjusted to new terms	2025-07-18 09:45:33 -04:00
Terrance DeJesus	72afee06ca	[New Rule] Excessive Secret or Key Retrieval from Azure Key Vault (#4898 ) * new rule Excessive Secret or Key Retrieval from Azure Key Vault * adjusted query for ESQL standardization * adjusted from ESQL to Esql	2025-07-18 09:30:10 -04:00
Ruben Groenewoud	9f46d5b496	[New Rule] Kubernetes Unusual Decision by User Agent (#4829 ) * [New Rule] Kubernetes Unusual Request Response by User Agent * ++ * Update execution_unusual_request_response_by_user_agent.toml * Update rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml * Update execution_unusual_request_response_by_user_agent.toml * Update rules/integrations/kubernetes/execution_unusual_request_response_by_user_agent.toml	2025-07-18 09:44:02 +02:00
Terrance DeJesus	0f8c53e4d2	[Rule Tuning] Azure Key Vault Modified (#4896 ) * tuning rule Azure Key Vault Modified * Update rules/integrations/azure/impact_azure_key_vault_modified.toml * adjusted description * Update rules/integrations/azure/impact_azure_key_vault_modified.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2025-07-17 09:31:58 -04:00
Ruben Groenewoud	d510a965e9	[New Rule] Unusual Kill Signal (#4911 ) * [New Rule] Unusual Kill Signal * Update defense_evasion_unsual_kill_signal.toml * Update defense_evasion_unsual_kill_signal.toml	2025-07-17 15:05:28 +02:00
Ruben Groenewoud	0d04f98c24	[Rule Tuning] Sudoers File Modification (#4904 ) * [Rule Tuning] Sudoers File Modification * [Rule Tuning] Sudoers File Modification	2025-07-16 10:17:51 +02:00
Isai	494a9e0d25	[Rule Tuning] AWS IAM API Calls via Temporary Session Tokens (#4901 ) - rule triggers as expected, however its triggering for failed requests - added `event.outcome: success` to query - added highlighted fields - adjusted rule execution window	2025-07-15 19:13:16 -04:00
shashank-elastic	bbdde20f7b	Fix variable usage impacting schema build performance (#4910 )	2025-07-15 21:20:30 +05:30
Terrance DeJesus	51b6f0dbd7	[Rule Deprecation] Azure Virtual Network Device Modified or Deleted (#4889 ) * deprecating 'Azure Virtual Network Device Modified or Deleted' * changed maturity	2025-07-14 15:58:11 -04:00
Sergey Polzunov	c0631d2df2	fix: Better aligning prompt behaviour with jsonschema types (#4894 ) * Check for `["array"]` in addition to `"array"` * version bump * Exclude non-ecs-schema.json from CI check	2025-07-11 07:10:47 -05:00
Marc-Antoine Leclercq	1b12ecff87	Clarify authentication settings to Kibana related to #4495 (#4819 ) * Update CLI.md Removing mentions of kibana_user and kibana_password since #4495 removed them entirely. * Bump patch version * Bump patch version --------- Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2025-07-10 15:21:01 -04:00
Eric Forte	03f977246f	[FR] Updates to KQL Lib Parsing and Install (#3605 ) * Bump Version * updated * Bump patch version * Optimization should only occur on single values * Wildcard semantically equivalent to query_string* * Add unit test for optimization * Move code-checks to yml * Add tests path to code-checks * Add lib path for code-checks * Install deps from local * Update DSL optimization unit test --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2025-07-10 15:03:08 -04:00
shashank-elastic	b70792082a	Fix pipe characters in rule descriptions (#4893 )	2025-07-10 15:11:20 +05:30
dependabot[bot]	932163e9cd	Bump setuptools from 75.2.0 to 78.1.1 and lock marshmallow-dataclass[union] to 8.6.1 (#4730 ) * Bump setuptools from 75.2.0 to 78.1.1 Bumps [setuptools](https://github.com/pypa/setuptools) from 75.2.0 to 78.1.1. - [Release notes](https://github.com/pypa/setuptools/releases) - [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst) - [Commits](https://github.com/pypa/setuptools/compare/v75.2.0...v78.1.1) --- updated-dependencies: - dependency-name: setuptools dependency-version: 78.1.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Bump Package Version --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2025-07-09 18:08:31 -04:00
Eric Forte	898be50e95	[Bug] Fix Filter Support for Import Rules (#4852 ) * Fix Filter Support for Import Rules * Patch Bump * Update Remove CLI Test Script * Ruff formatting	2025-07-09 10:07:42 -04:00
Terrance DeJesus	6e2936aa8c	[New Rule] TeamFiltration User-Agents Detected (#4868 ) * new rule TeamFiltration User-Agents Detected * changed UUID * tightened index scope * fixing query optimization * adjusted query	2025-07-08 09:56:06 -04:00
github-actions[bot]	52a3652965	Lock versions for releases: 8.18,8.19,9.0,9.1 (#4887 )	2025-07-08 15:05:39 +05:30
shashank-elastic	7175b3ab06	Add investigation guides for detection rules (#4886 )	2025-07-08 00:25:42 +05:30
Terrance DeJesus	acfc106164	new rule Suspicious Entra ID OAuth User Impersonation Scope Detected (#4876 ) Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>	2025-07-07 14:29:06 -04:00
shashank-elastic	9b292b97ea	Prep 8.19/9.1 (#4869 ) * Prep 8.19/9.1 Release * Download Beats Schema * Download API Schema * Download 8.18.3 Beats Schema * Download Latest Integrations manifest and schema * Comment old schemas * Update Patch version	2025-07-07 11:27:48 -04:00
Jonhnathan	782605ae07	[Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts (#4867 ) * [Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts * bum updated_date * Fix DSL exception	2025-07-07 10:56:13 -03:00
Jonhnathan	d42128cdbf	[Rule Tuning] Windows Misc Tuning (#4870 ) * [Rule Tuning] Windows Misc Tuning * Update execution_command_shell_started_by_svchost.toml * bump * Update rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml * Update defense_evasion_persistence_account_tokenfilterpolicy.toml	2025-07-07 10:32:12 -03:00
Terrance DeJesus	6a083ec984	[New Rule] Unusual ROPC Login Attempt by User Principal (#4871 ) * new rule Unusual ROPC Login Attempt by User Principal * linted	2025-07-03 14:43:19 -04:00
Jonhnathan	1e416b64da	[Hunt] Remove Default Namespace from indexes (#4866 ) * [Hunt] Remove Default Namespace from indexes * markdown	2025-07-03 11:08:29 -03:00

1 2 3 4 5 ...

2937 Commits