sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

69173872da [Tuning] Connection to Commonly Abused Web Services (#3425) Samirbous 2024-04-02 14:41:10 +01:00
22857aca2e [New Rule] Suspicious Access to LDAP Attributes (#2504) Samirbous 2024-04-02 13:57:38 +01:00
ece5175894 [New Rule] Suspicious Access to LDAP Attributes (#2504) Samirbous 2024-04-02 13:57:38 +01:00
f025616cbd [New Rule] Suspicious Access to LDAP Attributes (#2504) Samirbous 2024-04-02 13:57:38 +01:00
5a18a6cea2 [Rule Tuning] Potential Application Shimming via Sdbinst (#3553) Jonhnathan 2024-04-02 06:35:14 -03:00
36c6968d71 [Rule Tuning] Potential Application Shimming via Sdbinst (#3553) Jonhnathan 2024-04-02 06:35:14 -03:00
c781376188 [Rule Tuning] Potential Application Shimming via Sdbinst (#3553) Jonhnathan 2024-04-02 06:35:14 -03:00
de3db7007a [New] Potential Execution via XZBackdoor (#3555) Samirbous 2024-04-02 05:15:04 +01:00
d00325f432 [New] Potential Execution via XZBackdoor (#3555) Samirbous 2024-04-02 05:15:04 +01:00
f2490007e8 [New] Potential Execution via XZBackdoor (#3555) Samirbous 2024-04-02 05:15:04 +01:00
21f23f6d33 [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) Jonhnathan 2024-04-01 20:45:12 -03:00
4eac68bb07 [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) Jonhnathan 2024-04-01 20:45:12 -03:00
b47b91b9ec [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) Jonhnathan 2024-04-01 20:45:12 -03:00
7838042839 [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) Jonhnathan 2024-04-01 17:44:50 -03:00
9cba1e96e6 [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) Jonhnathan 2024-04-01 17:44:50 -03:00
67ca13c1ce [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) Jonhnathan 2024-04-01 17:44:50 -03:00
c1dd8cae21 Update setup guide for ML integration packages (#3475) Susan 2024-04-01 15:02:32 -04:00
390cb8e2d1 Update setup guide for ML integration packages (#3475) Susan 2024-04-01 15:02:32 -04:00
400a84628e Update setup guide for ML integration packages (#3475) Susan 2024-04-01 15:02:32 -04:00
e74f7a4d6b [FR] Add support for investigation_fields (#3550) Mika Ayenson 2024-04-01 11:52:46 -05:00
aef30b595d [FR] Add support for investigation_fields (#3550) Mika Ayenson 2024-04-01 11:52:46 -05:00
bb907a4d76 [FR] Add support for investigation_fields (#3550) Mika Ayenson 2024-04-01 11:52:46 -05:00
69d2f4b607 Fix create PR in release workflow (#3528) shashank-elastic 2024-04-01 21:17:10 +05:30
a2fd651db3 Fix create PR in release workflow (#3528) shashank-elastic 2024-04-01 21:17:10 +05:30
8b215eac41 Fix create PR in release workflow (#3528) shashank-elastic 2024-04-01 21:17:10 +05:30
57627e562f [Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477) Terrance DeJesus 2024-04-01 11:01:20 -04:00
92c5b6ad1b [Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477) Terrance DeJesus 2024-04-01 11:01:20 -04:00
d4bf04256d [Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477) Terrance DeJesus 2024-04-01 11:01:20 -04:00
e7416a6a68 [FR] Add required-fields option to import-rules (#3546) Mika Ayenson 2024-03-28 18:29:47 -05:00
5ab2090060 [FR] Add required-fields option to import-rules (#3546) Mika Ayenson 2024-03-28 18:29:47 -05:00
b6a7e7ebda [FR] Add required-fields option to import-rules (#3546) Mika Ayenson 2024-03-28 18:29:47 -05:00
5a7d7cf4a0 [New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543) Jonhnathan 2024-03-28 07:05:35 -03:00
24d4cdaf5d [New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543) Jonhnathan 2024-03-28 07:05:35 -03:00
218c3bead6 [New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543) Jonhnathan 2024-03-28 07:05:35 -03:00
c871bbb6d6 [New Rule] Creation of a DNS-Named Record (#3539) Jonhnathan 2024-03-27 18:21:07 -03:00
f217aed00d [New Rule] Creation of a DNS-Named Record (#3539) Jonhnathan 2024-03-27 18:21:07 -03:00
954a93c3b4 [New Rule] Creation of a DNS-Named Record (#3539) Jonhnathan 2024-03-27 18:21:07 -03:00
06dcbb80f5 [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation (#3535) Jonhnathan 2024-03-27 10:07:23 -03:00
fff1170ffc [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation (#3535) Jonhnathan 2024-03-27 10:07:23 -03:00
67e9ebf8e1 [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation (#3535) Jonhnathan 2024-03-27 10:07:23 -03:00
bfd3289680 [New] Suspicious Execution via ScreenConnect (#3541) Samirbous 2024-03-27 11:52:47 +00:00
09b2ff76a9 [New] Suspicious Execution via ScreenConnect (#3541) Samirbous 2024-03-27 11:52:47 +00:00
d7aff43621 [New] Suspicious Execution via ScreenConnect (#3541) Samirbous 2024-03-27 11:52:47 +00:00
e388aaf409 fix typo in lateral_movement_remote_services.toml (#3538) ALEXANDER MA COTE 2024-03-27 06:38:57 -04:00
28b6e2c042 fix typo in lateral_movement_remote_services.toml (#3538) ALEXANDER MA COTE 2024-03-27 06:38:57 -04:00
138447221f fix typo in lateral_movement_remote_services.toml (#3538) ALEXANDER MA COTE 2024-03-27 06:38:57 -04:00
75a0a3f338 [Rule Tuning] Scheduled Task Activity via pwsh (#3534) Ruben Groenewoud 2024-03-26 14:45:04 +01:00
155ac20303 [Rule Tuning] Scheduled Task Activity via pwsh (#3534) Ruben Groenewoud 2024-03-26 14:45:04 +01:00
760b99bcc1 [Rule Tuning] Scheduled Task Activity via pwsh (#3534) Ruben Groenewoud 2024-03-26 14:45:04 +01:00
5ce96738c4 [New] Suspicious JetBrains TeamCity Child Process (#3532) Samirbous 2024-03-25 16:32:56 +00:00
9fa3292200 [New] Suspicious JetBrains TeamCity Child Process (#3532) Samirbous 2024-03-25 16:32:56 +00:00
fc76a8bcb5 [New] Suspicious JetBrains TeamCity Child Process (#3532) Samirbous 2024-03-25 16:32:56 +00:00
6bf3a82f51 Update sort parameter (#3531) Eric Forte 2024-03-25 11:46:30 -04:00
149c78b390 Update sort parameter (#3531) Eric Forte 2024-03-25 11:46:30 -04:00
3503786154 Update sort parameter (#3531) Eric Forte 2024-03-25 11:46:30 -04:00
dda6a33f70 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) integration-v8.11.11 github-actions[bot] 2024-03-21 20:30:46 +05:30
981702698c Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) integration-v8.10.14 github-actions[bot] 2024-03-21 20:30:46 +05:30
eaf4658620 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 (#3526) github-actions[bot] 2024-03-21 20:30:46 +05:30
43d0fa1aad [Bug] Update lock versions dependencies (#3525) Mika Ayenson 2024-03-21 08:35:24 -05:00
ba1158808f [Bug] Update lock versions dependencies (#3525) Mika Ayenson 2024-03-21 08:35:24 -05:00
fc7cc2c06a [Bug] Update lock versions dependencies (#3525) Mika Ayenson 2024-03-21 08:35:24 -05:00
b6aff9b2e5 [New Rules] Veeam Credential Access DRs (#3516) Jonhnathan 2024-03-21 10:00:48 -03:00
7f3799319d [New Rules] Veeam Credential Access DRs (#3516) Jonhnathan 2024-03-21 10:00:48 -03:00
779fa7710d [New Rules] Veeam Credential Access DRs (#3516) Jonhnathan 2024-03-21 10:00:48 -03:00
f0a06bc56b [Rule Tuning] Potential Reverse Shell via UDP (#3508) Ruben Groenewoud 2024-03-21 13:48:41 +01:00
ce984b8531 [Rule Tuning] Potential Reverse Shell via UDP (#3508) Ruben Groenewoud 2024-03-21 13:48:41 +01:00
a6028b43b3 [Rule Tuning] Potential Reverse Shell via UDP (#3508) Ruben Groenewoud 2024-03-21 13:48:41 +01:00
4f0bd6e165 Update README.md (#3524) Mika Ayenson 2024-03-20 13:32:26 -05:00
b06b730213 Update README.md (#3524) Mika Ayenson 2024-03-20 13:32:26 -05:00
e37bc6f781 Update README.md (#3524) Mika Ayenson 2024-03-20 13:32:26 -05:00
88181b0f80 [Rule Tuning] SMTP on Port 26/TCP (#3521) Mika Ayenson 2024-03-19 15:55:25 -05:00
32ed8f141d [Rule Tuning] SMTP on Port 26/TCP (#3521) Mika Ayenson 2024-03-19 15:55:25 -05:00
07abc19932 [Rule Tuning] SMTP on Port 26/TCP (#3521) Mika Ayenson 2024-03-19 15:55:25 -05:00
edf52a578c [FR] Update Python Dependency Versions (#3515) Mika Ayenson 2024-03-19 14:07:16 -05:00
f66da9d350 [FR] Update Python Dependency Versions (#3515) Mika Ayenson 2024-03-19 14:07:16 -05:00
5c3523954e [FR] Update Python Dependency Versions (#3515) Mika Ayenson 2024-03-19 14:07:16 -05:00
078c86ab40 [Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' (#3494) Terrance DeJesus 2024-03-15 19:08:28 -04:00
b19541f0f8 [Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' (#3494) Terrance DeJesus 2024-03-15 19:08:28 -04:00
f6e79944f2 [Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' (#3494) Terrance DeJesus 2024-03-15 19:08:28 -04:00
434b3ffcc0 [FR] Independently package kql / kibana and bump to py3.12 (#3514) Mika Ayenson 2024-03-14 20:18:32 -05:00
3354460843 [FR] Independently package kql / kibana and bump to py3.12 (#3514) Mika Ayenson 2024-03-14 20:18:32 -05:00
d26981f712 [FR] Independently package kql / kibana and bump to py3.12 (#3514) Mika Ayenson 2024-03-14 20:18:32 -05:00
3d2a36be32 Revert "[FR] Independently package kql / kibana and bump to py3.12 (#3492)" Mika Ayenson 2024-03-14 19:48:50 -05:00
fc139fc3c2 [FR] Independently package kql / kibana and bump to py3.12 (#3492) Mika Ayenson 2024-03-14 19:14:25 -05:00
2af0c64945 [FR] Add support for dataviews in the rule schema (#3510) Mika Ayenson 2024-03-14 17:43:27 -05:00
f1542e6ef5 [FR] Add support for dataviews in the rule schema (#3510) Mika Ayenson 2024-03-14 17:43:27 -05:00
8724077a0e [FR] Add support for dataviews in the rule schema (#3510) Mika Ayenson 2024-03-14 17:43:27 -05:00
0a729b77a4 Beaconing - Add whitelist to rules, with some more processes (#3497) Susan 2024-03-14 15:51:02 -04:00
a4ecfe3ccf Beaconing - Add whitelist to rules, with some more processes (#3497) Susan 2024-03-14 15:51:02 -04:00
a08cbc7390 [Rule Tuning] Guided Onboarding Rule (#3502) Jonhnathan 2024-03-14 10:59:31 -03:00
18a34a15ff [Rule Tuning] Guided Onboarding Rule (#3502) Jonhnathan 2024-03-14 10:59:31 -03:00
c610e19114 [Rule Tuning] Guided Onboarding Rule (#3502) Jonhnathan 2024-03-14 10:59:31 -03:00
4fec1a766e [New Rules] mprotect() RWX Binary Execution (#3507) Ruben Groenewoud 2024-03-13 22:11:44 +01:00
9f234eecc7 [New Rules] mprotect() RWX Binary Execution (#3507) Ruben Groenewoud 2024-03-13 22:11:44 +01:00
4179180fcb [New Rules] mprotect() RWX Binary Execution (#3507) Ruben Groenewoud 2024-03-13 22:11:44 +01:00
22ed934946 [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) Jonhnathan 2024-03-13 10:27:44 -03:00
b43003c3f1 [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) Jonhnathan 2024-03-13 10:27:44 -03:00
f5254f3b5e [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) Jonhnathan 2024-03-13 10:27:44 -03:00
11168606d5 [Tuning] event.action and event.type change (#3495) Ruben Groenewoud 2024-03-13 10:11:21 +01:00
578e86eeae [Tuning] event.action and event.type change (#3495) Ruben Groenewoud 2024-03-13 10:11:21 +01:00

... 18 19 20 21 22 ...