security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • 8993d1450b [Rule Tuning] Add Supplemental Mitre Mappings (#5876) Mika Ayenson, PhD 2026-04-01 09:12:42 -05:00
  • 116f48ccda [New] Elastic Defend Alert from Package Manager Install Ancestry (#5905) Samirbous 2026-03-31 23:33:46 +01:00
  • 62b60f9a78 [Rule Tuning] Curl or Wget Spawned via Node.js (#5904) Ruben Groenewoud 2026-03-31 18:36:59 +02:00
  • c932ececd9 [Rule Tuning] M365 Identity Login from Atypical Travel Location - Reduce FP Noise (#5866) Terrance DeJesus 2026-03-26 16:03:38 -04:00
  • 60beaff33f [Rule Tuning] Entra ID OAuth User Impersonation to Microsoft Graph (#5864) Terrance DeJesus 2026-03-26 15:48:23 -04:00
  • d9890db6ff Lock versions for releases: 8.19,9.1,9.2,9.3 (#5888) dev-v1.6.10 github-actions[bot] 2026-03-26 12:31:50 -05:00
  • c6f843ef9d [New Rules] LiteLLM & Trivy TeamPCP Compromise (#5885) Ruben Groenewoud 2026-03-26 17:16:30 +01:00
  • a8033e14aa rule tuning add ICP blockchain indicator (#5887) Terrance DeJesus 2026-03-26 12:09:51 -04:00
  • befd78524e [Rule Tuning] Python Path File (pth) Creation (#5880) Ruben Groenewoud 2026-03-26 16:56:56 +01:00
  • cd19b25485 [New Rule] M365 Azure Monitor Alert Email with Financial or Billing Theme (#5878) dev-v1.6.9 Terrance DeJesus 2026-03-26 11:50:15 -04:00
  • 06ea087363 [Tuning] Multiple Cloud Secrets Accessed by Source Address (#5884) Samirbous 2026-03-26 15:49:19 +00:00
  • a08d6b4ff7 [Rule Tuning] Entra ID Federation Abuse to Production (#5881) Terrance DeJesus 2026-03-26 11:45:12 -04:00
  • 18a28762bf [Rule Tuning] M365 SharePoint/OneDrive File Access via PowerShell - Convert to new_terms (#5873) Terrance DeJesus 2026-03-26 11:28:36 -04:00
  • 5d5e1d9ca4 [Tuning] Expand compatibility to extra OS (#5883) Samirbous 2026-03-26 12:10:17 +00:00
  • 09a3c0c813 [New] Potential Credential Discovery via Recursive Grep (#5882) Samirbous 2026-03-26 11:27:33 +00:00
  • 75ffa5ec4e [FR] [DaC] Add fine-grained bypass env var for ES|QL keep and metadata validation (#5869) dev-v1.6.8 Eric Forte 2026-03-24 14:36:45 -04:00
  • b14dec9efa Lock versions for releases: 8.19,9.1,9.2,9.3 (#5875) dev-v1.6.7 github-actions[bot] 2026-03-23 23:45:25 +05:30
  • 07ccecb94b Add investigation guide for database dumping activity (#5871) shashank-elastic 2026-03-23 22:22:52 +05:30
  • 057fe30199 [New] RMM Rules (#5848) Samirbous 2026-03-23 16:41:52 +00:00
  • 3ce89a3ccf [Rule Tuning] Sensitive Audit Policy Sub-Category Disabled (#5859) Jonhnathan 2026-03-23 13:25:35 -03:00
  • 38e1456eca [Rule Tuning] Misc Rule Tuning (#5858) Jonhnathan 2026-03-23 13:01:06 -03:00
  • 4217c76ed4 [Rule Tuning] M365 Exchange Inbox Forwarding Rule Created (#5852) Terrance DeJesus 2026-03-23 10:25:58 -04:00
  • c0abe39f8a [Rule Tuning] Remove OIDC email scope from Microsoft Graph Email Access Rule (#5856) Terrance DeJesus 2026-03-23 10:08:47 -04:00
  • 53553e0bfb [Rule Tuning] Microsoft Graph Request User Impersonation by Unusual Client (#5861) Terrance DeJesus 2026-03-23 09:46:40 -04:00
  • 24dc5af02f Initial DaC Issue Template (#5854) Eric Forte 2026-03-23 08:56:29 -04:00
  • 062a065722 [Tuning] Add Missing executable file extensions (#5857) Samirbous 2026-03-23 12:23:51 +00:00
  • e788ab7e73 [New/tuning] WarLock coverage (#5846) Samirbous 2026-03-23 11:01:12 +00:00
  • 7bde0a9d2d [Tuning] Mis Rules Tuning (#5817) Samirbous 2026-03-23 10:49:23 +00:00
  • 5216bf2d0c [New Rules] AppArmor Exploitation (CrackArmor) (#5842) Ruben Groenewoud 2026-03-23 09:37:42 +01:00
  • 02adbfb2b0 [New / Tuning] LeakNet cov (#5850) Samirbous 2026-03-20 21:11:26 +00:00
  • ade7de7be4 [New Rules] External Promotion Alert for IBM QRadar (#5843) dev-v1.6.6 Mika Ayenson, PhD 2026-03-20 14:42:43 -05:00
  • de6eb0f10d [New Rule] Potential snap-confine Privilege Escalation via CVE-2026-3888 (#5845) Ruben Groenewoud 2026-03-20 09:34:17 +01:00
  • 71bcbef8d0 [Rule Tuning] Tuning Host Name to Agent Name for Compatibility (#5849) Ruben Groenewoud 2026-03-19 14:43:34 +01:00
  • a4b614c681 [New/Tuning] New DB Dump Rule & Tuning wget/curl DRs (#5832) Ruben Groenewoud 2026-03-19 13:57:34 +01:00
  • e49a3f0310 [New Rule] AWS API Activity from Uncommon S3 Client by Rare User (#5694) Isai 2026-03-18 18:07:15 -04:00
  • 7ae298005d [Bug] KQL Validation Add Wildcard w/ Space token value (#5753) dev-v1.6.5 Isai 2026-03-18 17:38:24 -04:00
  • f84617ba8e bumping date (#5847) Terrance DeJesus 2026-03-18 17:22:55 -04:00
  • cb5b89f83e [FR] Includes deprecated rule stubs to the package for upstream testing (#5813) dev-v1.6.4 Davis Plumlee 2026-03-18 15:34:25 -04:00
  • 7bd2e2911c Update command_and_control_common_webservices.toml (#5831) Samirbous 2026-03-18 12:38:29 +00:00
  • 8b140d5811 [Rule Tuning] Added Traefik Compatibility to Web Server Access Rules (#5837) dev-v1.6.3 Ruben Groenewoud 2026-03-17 17:28:47 +01:00
  • 5d3e17eaff [Rule Tuning] Dynamic Linker Copy (#5841) Ruben Groenewoud 2026-03-17 17:12:08 +01:00
  • 49b660a135 [New Rules] New Terms rules for malicious Python/Pickle model activity on macOS (#5780) Colson Wilhoit 2026-03-17 10:59:08 -05:00
  • 937a7a35e6 [New Rule] Azure Arc Kubernetes Cluster Connect Abuse (#5824) Terrance DeJesus 2026-03-17 11:06:47 -04:00
  • 4091323e0d [New Rule] M365 SharePoint Site Administrator Added (#5806) Terrance DeJesus 2026-03-17 10:49:24 -04:00
  • 3b59030211 [New Rule] AWS CloudShell Environment Created (#5830) Isai 2026-03-17 08:46:59 -04:00
  • 49c9c283e6 [FR] Reset deprecated lock to the latest state during lock (#5827) dev-v1.6.2 Mika Ayenson, PhD 2026-03-16 17:04:56 -05:00
  • d74c83140b [Maintenance] Update .gitignore for AI Artifacts (Skills, MCP, etc.) (#5833) dev-v1.6.1 Terrance DeJesus 2026-03-13 13:08:19 -04:00
  • 721ef0b9c7 [Rule Tuning] Misc GenAI Tuning (#5825) Mika Ayenson, PhD 2026-03-11 11:46:33 -05:00
  • ce3916f99f Bump minor version (#5822) dev-v1.6.0 Eric Forte 2026-03-10 13:39:49 -04:00
  • 57bf1546dd [Bug] [DAC] Add filtering to export-rules-from-repo (#5769) dev-v1.5.56 Eric Forte 2026-03-10 13:03:52 -04:00
  • 1d3dad243c [Rule Tuning] Entra ID OAuth Device Code Grant by Unusual User (#5791) Terrance DeJesus 2026-03-10 10:37:38 -04:00
  • 0ae390ce6f [New Rule] Entra ID Domain Federation Abuse (#5809) Terrance DeJesus 2026-03-10 10:16:50 -04:00
  • 386e69bfea [New Rule] M365 SharePoint Site Sharing Policy Weakened (#5795) Terrance DeJesus 2026-03-10 09:48:59 -04:00
  • 61211a2670 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5820) dev-v1.5.54 github-actions[bot] 2026-03-10 18:49:55 +05:30
  • 2d6172e9c2 Update command_and_control_dns_rmm_domains_non_browser.toml (#5819) Samirbous 2026-03-10 12:07:39 +00:00
  • 87badac5a0 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5818) dev-v1.5.53 github-actions[bot] 2026-03-10 15:33:16 +05:30
  • 26d37dd62e [Bug] Ignore Other Keep Wildcards (#5792) dev-v1.5.52 Eric Forte 2026-03-09 19:33:27 -04:00
  • 926befff83 [Rule Tuning] AWS Access Token Used from Multiple Addresses (#5785) Isai 2026-03-09 13:57:57 -04:00
  • afcb342c55 [Tuning/New] RMM Rules (#5810) Samirbous 2026-03-09 16:33:47 +00:00
  • ec4a0e58e4 [New] Suspicious Execution from VS Code Extension (#5786) Samirbous 2026-03-09 16:22:41 +00:00
  • 39cdb3887f [New/Tuning] TeamPCP Simulation - New & Tuned Rules (#5812) Ruben Groenewoud 2026-03-09 17:03:39 +01:00
  • 2276987104 [New] Elastic Defend Alert from GenAI Utility or Descendant (#5793) Samirbous 2026-03-09 15:53:25 +00:00
  • a7c34ebf3b [New] Potential Account Takeover - Logon from New Source IP (#5770) Samirbous 2026-03-09 15:33:57 +00:00
  • 99bdb22a8d [Rule Tuning] Base64 Decoded Payload Piped to Interpreter (#5811) Ruben Groenewoud 2026-03-09 15:06:14 +01:00
  • e08f234b1c Monthly Manifest and Schema Updation (#5816) dev-v1.5.51 shashank-elastic 2026-03-09 18:45:06 +05:30
  • 94c73e3ad7 [FR] Minor Typo Fixes (#5784) Eric Forte 2026-03-06 17:12:45 -05:00
  • c24f84b5b0 [Rule Tuning] kubernetes.audit.userAgent --> user_agent.original Conversion (#5808) Ruben Groenewoud 2026-03-05 14:13:30 +01:00
  • a9f3f8afbb Do not fire on denied events (#5805) Eric Forte 2026-03-04 14:05:50 -05:00
  • 1e777d9be7 [Rule Tuning] AWS STS Role Assumption by User (#5796) Isai 2026-03-04 13:01:49 -05:00
  • 4233059510 [Rule Tuning] Unusual Process For a Windows Host - from for 6h bucket span (#5797) yuriShafet 2026-03-03 14:56:30 -05:00
  • dc7d8960de [Tuning] LSASS Process Access via Windows API (#5807) Samirbous 2026-03-03 19:05:47 +00:00
  • aaf99b1873 [Rule Tuning] agent.id --> host.id new_terms Key Modification (#5802) Ruben Groenewoud 2026-03-02 13:24:25 +01:00
  • 52adb7187f Update impact_alerts_on_host_with_cpu_spike.toml (#5789) Samirbous 2026-02-27 08:56:27 +00:00
  • c5dbd90662 [Rule Tunings] Add Console Session Filtering to AWS Temporary Credential Detection Rules (#5781) Isai 2026-02-26 17:21:18 -05:00
  • 5ecbc0f0b9 [New Rule] Microsoft 365 SharePoint/OneDrive Sensitive Search and File Access (#5777) Terrance DeJesus 2026-02-26 14:29:14 -05:00
  • 71c461d867 [New Rule] M365 MFA Notification Email Deleted or Moved (#5779) Terrance DeJesus 2026-02-26 13:21:08 -05:00
  • 8593116f58 [New Rule] Okta User Authentication via Proxy Followed by Security Alert (#5752) Terrance DeJesus 2026-02-26 11:32:25 -05:00
  • 080cd47337 [Bug] test_integration_tag incorrectly flags higher-order rules using .alerts-security.* index (#5783) dev-v1.5.50 Terrance DeJesus 2026-02-26 11:06:12 -05:00
  • 04ad018f27 [Rule Tuning] M365 OneDrive/SharePoint Excessive File Downloads (#5767) Terrance DeJesus 2026-02-26 10:38:59 -05:00
  • 4201fe6f8a [Rule Tuning] Telnet Authentication Bypass Rule Tuning (#5771) Eric Forte 2026-02-25 15:43:18 -05:00
  • b2f76bd2c9 Tuning to allow for greater flexibility in integration policy (#5774) Eric Forte 2026-02-25 13:56:02 -05:00
  • feb3041310 [New Rule] Microsoft UAL Security-Related Building-Block Signals (#5746) Terrance DeJesus 2026-02-25 12:10:01 -05:00
  • 201660af36 [Bug] Adding Deprecated Rules to Rules Package Breaks Current Package Build (#5773) dev-v1.5.49 Terrance DeJesus 2026-02-24 13:54:46 -05:00
  • 92a379e034 Lock versions for releases: 8.19,9.1,9.2,9.3 (#5765) dev-v1.5.48 github-actions[bot] 2026-02-24 18:49:27 +05:30
  • 013dace20f adjusted min-stack (#5763) Terrance DeJesus 2026-02-23 17:31:36 -05:00
  • 35a8298bda [Rule Tuning] Entra ID Federated Identity Credential Issuer Modified (#5760) Terrance DeJesus 2026-02-23 12:43:16 -05:00
  • 5ddca45adf [Rule Tuning] Windows Misc Tuning - 2 (#5758) Jonhnathan 2026-02-23 13:09:19 -03:00
  • c349c8eca7 [New Rules] Kernel Discovery & BPF Load/Tampering via bpftool (#5743) Ruben Groenewoud 2026-02-23 16:33:17 +01:00
  • 1e9b9d6d46 [New] FortiGate SSL VPN Login Followed by SIEM Alert by User (#5757) Samirbous 2026-02-23 15:23:08 +00:00
  • 56c737c1d0 [New/Tuning] New LKM Load Rule & FN Tuning Tunneling Rules (#5742) Ruben Groenewoud 2026-02-23 10:01:42 +01:00
  • e012e88342 [Rule Tuning] Kernel Module Load via Built-in Utility (#5736) Ruben Groenewoud 2026-02-23 09:48:12 +01:00
  • 3e9b8bcdc7 [Tuning] Newly Seen FG or Suricata alert (#5734) Samirbous 2026-02-23 08:35:38 +00:00
  • ccb2d5e3b6 [Rule Tuning] LLM Completion Rules (#5744) Mika Ayenson, PhD 2026-02-20 14:43:12 -06:00
  • 5adc118f92 [Bug] ES|QL Validation Add Reverse Lookup Check Against Kibana Value (#5747) dev-v1.5.47 Eric Forte 2026-02-20 15:29:51 -05:00
  • a1c3267529 [FR] Add deprecated file to release for upstream testing (#5749) dev-v1.5.46 Mika Ayenson, PhD 2026-02-20 14:16:27 -06:00
  • 6a7c1e9674 [Rule Deprecation] Deprecate Individual MSFT Compliance Rules (#5679) Terrance DeJesus 2026-02-20 14:00:34 -05:00
  • c7954465f3 [Rule Tuning] Okta Credential Stuffing, Password Spraying, and Brute Force Detection Improvements (#5723) Terrance DeJesus 2026-02-20 13:36:25 -05:00
  • 3d647feb8c [Rule Tuning] Windows Misc Tunings (#5740) Jonhnathan 2026-02-20 14:11:35 -03:00
  • 8ae6c4fd23 [New] Correlated Alerts on Similar User Identities (#5726) Samirbous 2026-02-20 15:57:34 +00:00
  • 62aa4dcedc [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5739) Isai 2026-02-20 10:41:42 -05:00