sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

9482bda414 Adding related integrations to ML rules (#2972) Apoorva Joshi 2023-08-22 20:39:18 +02:00
10fa921c84 [Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing (#3025) Terrance DeJesus 2023-08-22 13:04:25 -04:00
2ddcf7817e [Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing (#3025) Terrance DeJesus 2023-08-22 13:04:25 -04:00
121134347a [Rule Tuning] PowerShell Keylogging Script (#3023) Jonhnathan 2023-08-22 07:45:00 -03:00
0c3b251208 [Rule Tuning] PowerShell Keylogging Script (#3023) Jonhnathan 2023-08-22 07:45:00 -03:00
37ff018674 [New Rule] Potential Masquerading as Windows System32 Executable (#3022) Jonhnathan 2023-08-21 15:14:22 -03:00
f8df53626e [New Rule] Potential Masquerading as Windows System32 Executable (#3022) Jonhnathan 2023-08-21 15:14:22 -03:00
3534b37ba6 [Tuning] Improve Performance (#2953) Samirbous 2023-08-21 16:23:34 +01:00
5e801b2edf [Tuning] Improve Performance (#2953) Samirbous 2023-08-21 16:23:34 +01:00
32f4fe26ba [Bug] Duplicate tag on Okta rule (#3020) Steve Ross 2023-08-21 10:42:47 -04:00
4f33a40f48 [Bug] Duplicate tag on Okta rule (#3020) Steve Ross 2023-08-21 10:42:47 -04:00
8058b4054c [New Rule] PowerShell Kerberos Ticket Dump (#2967) Jonhnathan 2023-08-20 17:29:16 -03:00
72f15dda6a [New Rule] PowerShell Kerberos Ticket Dump (#2967) Jonhnathan 2023-08-20 17:29:16 -03:00
27e246bd5e [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) Joe Desimone 2023-08-17 12:52:26 -04:00
b5e011a892 [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) Joe Desimone 2023-08-17 12:52:26 -04:00
7c4ca0a4a3 [New Rule] Building Block Rules - Part 2 (#2923) Jonhnathan 2023-08-17 13:00:50 -03:00
9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) Jonhnathan 2023-08-17 13:00:50 -03:00
44ac8f762d Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3019) integration-v8.10.1 github-actions[bot] 2023-08-17 09:09:05 -04:00
4cf70654ad Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3019) github-actions[bot] 2023-08-17 09:09:05 -04:00
492e6c416e [FR] 8.10 Release Preparation and Update Main Branch to 8.11 (#3012) Terrance DeJesus 2023-08-16 14:23:44 -04:00
08b646aa94 [FR] 8.10 Release Preparation and Update Main Branch to 8.11 (#3012) Terrance DeJesus 2023-08-16 14:23:44 -04:00
96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) Jonhnathan 2023-08-16 09:34:21 -03:00
f589ad4a4b Merge branch 'main' of github.com:elastic/detection-rules Mika Ayenson 2023-08-11 08:58:51 -05:00
e938ed28a0 [Rule Tuning] added additional event action (#3008) Ruben Groenewoud 2023-08-10 16:59:07 +02:00
2393190edf [New Rule] PowerShell Script with Webcam Video Capture Capabilities (#2935) Jonhnathan 2023-08-09 15:17:15 -03:00
f500cec497 fixing typo in 127.0.0.1 address (#3004) Ali Alwashali 2023-08-08 18:06:26 +03:00
4cbfd7c4ae [Rule Tuning] Restricted Shell Breakout (#2999) Ruben Groenewoud 2023-08-04 19:30:18 +02:00
e904ebb760 [New Rule] PE via Container Misconfiguration (#2983) Ruben Groenewoud 2023-08-04 16:39:40 +02:00
ef49709c7d [New Rules] Linux Wildcard Injection (#2973) Ruben Groenewoud 2023-08-04 16:32:34 +02:00
c6eba3e4e6 [New Rule] Suspicious Symbolic Link Created (#2969) Ruben Groenewoud 2023-08-03 23:23:23 +02:00
4bcec3397c [New Rule] Potential Suspicious DebugFS Root Device Access (#2982) Ruben Groenewoud 2023-08-03 16:13:34 +02:00
207d94e51c [New Rule] Potential Sudo Token Manipulation via Process Injection (#2984) Ruben Groenewoud 2023-08-03 15:58:25 +02:00
7cc841cc87 [New Rule] PE via UID INT_MAX Bug (#2971) Ruben Groenewoud 2023-08-03 15:51:06 +02:00
ef1fa94c52 [New BBR] Suspicious Clipboard Activity (#2970) Ruben Groenewoud 2023-08-03 15:41:23 +02:00
a7ff449fbc [Rule Tuning] Some Tunings of several 8.9 rules (#2985) Ruben Groenewoud 2023-08-03 15:25:33 +02:00
03110fb24c [New Rule] SUID/SGUID Enumeration Detected (#2956) Ruben Groenewoud 2023-08-03 09:57:30 +02:00
716b621af2 [New Rule] Potential Sudo Hijacking Detected (#2966) Ruben Groenewoud 2023-08-03 09:49:14 +02:00
18c2214956 [New Rule] Sudo Command Enumeration Detected (#2946) Ruben Groenewoud 2023-08-03 09:39:16 +02:00
3f9e7aced1 [Bug] Strip Non-Public Fields Prior to Uploading Rules (#2986) Mika Ayenson 2023-08-02 12:38:48 -05:00
29fc61d55b updated pyproject.toml (#2991) eric-forte-elastic 2023-08-02 10:16:12 -04:00
1cb5c174ce Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2988) github-actions[bot] 2023-08-01 10:12:29 -04:00
b245d5b46b Merge branch 'main' of github.com:elastic/detection-rules Mika Ayenson 2023-08-01 08:49:22 -05:00
ea26ea77d7 [FR] Update build-release to support bbr release (#2987) eric-forte-elastic 2023-07-31 15:20:18 -04:00
b8bb2da932 [New Rule] Potential Privilege Escalation via OverlayFS (#2974) Ruben Groenewoud 2023-07-31 19:15:11 +02:00
d1db3a0048 [New Rule] Building Block Rules - Part 4 (#2926) Jonhnathan 2023-07-31 11:03:57 -03:00
1e769c51b6 Tune Unusual File Activity ADS for Teams weblogs (#2929) Eric 2023-07-31 07:41:31 -06:00
6966a6df09 [New Rule] Building Block Rules - Part 3 (#2924) Jonhnathan 2023-07-31 10:28:25 -03:00
3813a08f59 [FR] Add support for BBR rules to the rule loader (#2968) Mika Ayenson 2023-07-27 11:27:04 -05:00
77b43d16e8 [FR] Generate Prebuilt Rules Reference Page (#2964) Mika Ayenson 2023-07-27 11:05:31 -05:00
9387a081bc [Security Content] Add Investigation Guides to Threat Intel rules (#2827) Jonhnathan 2023-07-27 11:30:14 -03:00
bbb24704b6 [New Rule] PE through Writable Docker Socket (#2958) Ruben Groenewoud 2023-07-27 10:01:29 +02:00
0666b594c6 [New Rule] Linux Local Account Brute Force (#2965) Ruben Groenewoud 2023-07-27 09:43:53 +02:00
0ff50acfd2 [Rule Tuning] Tune Threat Indicator Match Rules (#2957) Jonhnathan 2023-07-26 15:12:28 -03:00
b330cf9438 [New Rule] Pspy Process Monitoring Detected (#2945) Ruben Groenewoud 2023-07-26 15:58:33 +02:00
9cc4b0e348 [New BBR] Potential Suspicious File Edit (#2960) Ruben Groenewoud 2023-07-26 15:22:56 +02:00
6527eb0500 Rule Tuning File Permission Modification in Writable Directory (#2961) shashank-elastic 2023-07-26 17:47:00 +05:30
d0d99829a2 Correct misspelling of AppDara to AppData (#2952) Eric 2023-07-26 05:10:03 -06:00
056db6003e [Security Content] Added Compatibility note to all IGs (#2943) Ruben Groenewoud 2023-07-26 12:54:50 +02:00
dbd7ed65a9 [Tuning] Reverse Shell Rules (#2959) Ruben Groenewoud 2023-07-25 14:55:56 +02:00
f92b34f46a Merge branch 'main' of github.com:elastic/detection-rules Mika Ayenson 2023-07-20 13:31:52 -05:00
93845626b7 Potential Cross Site Scripting ( XSS ) (#2922) shashank-elastic 2023-07-20 19:12:00 +05:30
8b808b9b83 New Cross Platform BBR Rules (#2920) shashank-elastic 2023-07-19 21:27:23 +05:30
8de2684498 [Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868) Ruben Groenewoud 2023-07-19 17:13:24 +02:00
97d429e314 [New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933) Samirbous 2023-07-19 16:05:13 +01:00
f920bc6151 New Linux BBR Rules (#2917) shashank-elastic 2023-07-19 20:12:59 +05:30
5e714e01e6 [Security Content] Add Windows Investigation Guides (#2825) Jonhnathan 2023-07-19 08:07:01 -03:00
d1491c3ce1 [Rule Tuning] Threat Intel URL Indicator Match (#2902) Jonhnathan 2023-07-18 20:21:15 -03:00
f1ba092864 [Deprecation] Threat Intel Indicator Match - General Rules (#2901) Jonhnathan 2023-07-18 20:12:53 -03:00
7949b8a03e [New Rule] Building Block Rules - Part 1 (#2912) Jonhnathan 2023-07-18 20:01:43 -03:00
23a133121d [Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932) Jonhnathan 2023-07-18 08:55:59 -03:00
80e2b699b6 [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837) Isai 2023-07-17 15:03:24 -04:00
db90345fd5 [Rule Tuning] Kubernetes Anonymous Request Authorized (#2865) Isai 2023-07-17 13:03:05 -04:00
0b64638bf7 [New Rule] AWS Credentials Searched For Inside a Container (#2887) Isai 2023-07-17 12:29:02 -04:00
0f5b5a3551 [Rule Tuning] Add Okta Investigation Guides Part 1 (#2899) Terrance DeJesus 2023-07-17 11:47:02 -04:00
fca8bcc071 [Rule Tuning] PowerShell Rule Tunings (#2907) Jonhnathan 2023-07-14 15:41:36 -03:00
9f29129585 [FR] Add EQL Rule Type Configuration Fields (#2918) Terrance DeJesus 2023-07-13 11:20:14 -04:00
9414095d96 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2921) github-actions[bot] 2023-07-11 19:57:02 -04:00
3ed8c56942 DR Linux Rule Tuning 8.9 (#2859) shashank-elastic 2023-07-10 20:02:42 +05:30
1283a21fb7 [New Rules] Potential portscan detected (#2817) Remco Sprooten 2023-07-09 09:49:32 +02:00
90bc760c56 Update README.md to fix etc path (#2913) Mika Ayenson 2023-07-06 15:00:45 -04:00
e5d6d6e4a7 [New Rule] sus cmds executed by unknown executable (#2858) Ruben Groenewoud 2023-07-06 17:32:56 +02:00
4e0b7427b7 [New Rules] ftp/rdp bruteforce (#2910) Ruben Groenewoud 2023-07-06 17:16:01 +02:00
d5dee5a6c8 [New Rules] sysctl and modprobe enumeration (#2844) Ruben Groenewoud 2023-07-06 16:46:54 +02:00
cd7a52f1b1 [Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895) Terrance DeJesus 2023-07-06 10:39:20 -04:00
64b3fa8d1d [New Rule] Kernel Load/Unload via Kexec Detected (#2846) Ruben Groenewoud 2023-07-06 16:03:27 +02:00
646c316b66 [New Rules] Linux Reverse Shells (#2905) Ruben Groenewoud 2023-07-06 15:27:57 +02:00
9e5f69dc5b [FR] Add additional verification to BBR unit tests (#2909) eric-forte-elastic 2023-07-06 13:06:36 +00:00
d8969f8df1 RTA For Linux DR and ER Rules (#2904) shashank-elastic 2023-07-04 18:46:28 +05:30
78055bbeee [New Rule] Suspicious Proc Enumeration (#2845) Ruben Groenewoud 2023-07-04 11:34:56 +02:00
df0a1facd1 [WMI Incoming Lateral Movement] Modify Existing Query Exception (#2843) Eric 2023-07-03 15:12:05 -06:00
f78de8c9d4 Add MS Office exceptions to query (#2836) Eric 2023-07-03 14:09:17 -06:00
7a1f376a34 [New Rules] Conversion of deprecated ERs over to DRs (#2877) Ruben Groenewoud 2023-07-02 10:39:44 +02:00
35ea2727dc [Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades (#2850) Eric 2023-06-30 16:01:35 -06:00
7aa8a7b5fb [Rules Tuning] diverse tuning (#2506) Samirbous 2023-06-30 18:57:00 +01:00
ff2c951136 [New Rule] Potential Masquerading as Communication Apps (#2780) Jonhnathan 2023-06-30 11:46:54 -03:00
d5dddae0ef [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#2721) Jonhnathan 2023-06-30 10:56:13 -03:00
2a4749d3d0 [New Rule] New Term Rule for USB Devices (#2644) Samirbous 2023-06-30 14:41:38 +01:00
cf4bbfbcef [New ER RTA] Potential Linux Rev Shell via Java (#2897) Ruben Groenewoud 2023-06-30 14:21:06 +02:00
9794f8f0af [New Rule] Postgresql Code Execution (#2863) Ruben Groenewoud 2023-06-30 13:17:24 +02:00
2ff4584456 load unsupported rule type from schema (#2893) Mika Ayenson 2023-06-29 15:32:32 -04:00

... 27 28 29 30 31 ...