security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • c90ab9de82 load unsupported rule type from schema Mika Ayenson 2023-06-29 14:22:25 -04:00
  • d9bc209c76 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2892) github-actions[bot] 2023-06-29 12:25:51 -04:00
  • 35d373b2bd [FR] 8.9 Release Preparation and Update Main Branch to 8.10 (#2891) Terrance DeJesus 2023-06-29 11:39:11 -04:00
  • cec41b4072 [FR Build a limited compatible rule ndjson for older stacks (#2885) Mika Ayenson 2023-06-29 10:18:24 -04:00
  • 73970eb2f2 [FR] Add Support for Multi-Fields and Validation in Rules (#2882) Terrance DeJesus 2023-06-28 20:35:33 -04:00
  • a7e605a0e5 [Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 (#2889) Jonhnathan 2023-06-28 15:55:43 -03:00
  • 493c638252 [Bug] Add pywin32 to windows install (#2886) Mika Ayenson 2023-06-28 10:47:29 -04:00
  • 8703c65f87 [Tuning] Azure Network Packet Capture Detected (#2888) Ruben Groenewoud 2023-06-28 16:32:56 +02:00
  • 90c79a8283 [Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777) Jonhnathan 2023-06-28 10:22:24 -03:00
  • c94c79ba77 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 (#2883) github-actions[bot] 2023-06-27 12:00:19 -04:00
  • 5da2771c12 [New Rule] [BBR] Expired or Revoked Driver Loaded (#2880) Jonhnathan 2023-06-27 09:18:35 -03:00
  • 48cf95c8eb [Rule Tuning] Change Network Rules to Use Network Packet Capture Integration (#2665) Terrance DeJesus 2023-06-26 17:35:49 -04:00
  • 0f6ded452b [New RTA] Endpoint Rules (#2788) Samirbous 2023-06-23 16:58:30 +01:00
  • aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) eric-forte-elastic 2023-06-23 14:58:31 +00:00
  • d829b145ef [Bug] Fix Tag Navigator Generation (#2875) Terrance DeJesus 2023-06-23 10:44:55 -04:00
  • b4c84e8a40 [Security Content] Tags Reform (#2725) Jonhnathan 2023-06-22 18:38:56 -03:00
  • 7d758fdacd [New Rule] Potential Malicious File Downloaded from Google Drive (#2862) Terrance DeJesus 2023-06-22 14:10:14 -04:00
  • 7c5f17e30c [New Rules] User / Group Creation & Privileged Group Addition (#2546) Ruben Groenewoud 2023-06-22 15:15:48 +02:00
  • 71186c8788 [Rule Tuning] Potential Persistence Through Run Control Detected (#2857) Ruben Groenewoud 2023-06-22 13:39:36 +02:00
  • 7d64dc2a87 [Rule tunings / New Rule] Kernel Unload and Enumeration (#2838) Ruben Groenewoud 2023-06-22 10:11:52 +02:00
  • 082e92c95c [Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion (#2854) Terrance DeJesus 2023-06-21 09:47:27 -04:00
  • 6449cecd08 [FR] Add support for building block rules (BBR) (#2822) eric-forte-elastic 2023-06-20 13:00:30 +00:00
  • dc05f1d8f3 [New Rule] Sus Network Activity from Unknown Executable (#2856) Ruben Groenewoud 2023-06-14 23:27:29 +02:00
  • b4a218ed1c [New Rule] Shared Object Created (#2848) Ruben Groenewoud 2023-06-13 22:51:07 +02:00
  • 01334a28bd Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 (#2853) github-actions[bot] 2023-06-13 09:48:24 -04:00
  • 4f9f28c370 [New Rules] Cron Job / Systemd Service Creation (#2847) Ruben Groenewoud 2023-06-13 09:44:44 +02:00
  • 644d2f5b26 [New Rule] New Systemd Timer Created (#2601) Ruben Groenewoud 2023-06-13 09:15:47 +02:00
  • 450e84ffa2 [FR] Add host family to data path (#2839) eric-forte-elastic 2023-06-12 20:03:33 +00:00
  • 1e404cde34 [Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to query exceptions (#2831) Eric 2023-06-12 13:15:47 -06:00
  • 8db42da040 Limit backports to 8.3+ (#2450) Terrance DeJesus 2023-06-12 12:51:40 -04:00
  • 665bf03ec0 [Rule Tuning] Remote System Discovery Commands (#2834) Jonhnathan 2023-06-07 14:24:53 -03:00
  • 601788c4df Added Outlook.exe as a query exception (#2814) Eric 2023-06-06 10:47:25 -06:00
  • 221e756b48 Adjusted exceptions to rule for Nessus (#2774) Eric 2023-06-06 10:39:34 -06:00
  • cc377b6634 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 (#2824) github-actions[bot] 2023-05-31 12:42:12 -04:00
  • e0ceb5a434 adjust integrations file; add option for single integration update (#2816) Terrance DeJesus 2023-05-31 11:00:58 -04:00
  • 05aac4f371 [Security Content] Add Investigation Guides to Windows rules (#2678) Jonhnathan 2023-05-26 10:25:41 -03:00
  • 0d5e25e896 [Rule Tuning] Interactive Terminal Spawned via Python (#2781) Jonhnathan 2023-05-26 10:19:35 -03:00
  • 54c5c17aa3 [Rule Tuning & Addition] Potential Linux SSH Brute Force (#2583) Ruben Groenewoud 2023-05-25 12:00:44 +02:00
  • 8766734c89 [Bug] Adding additional dependency typing-extensions (#2812) Terrance DeJesus 2023-05-24 10:23:35 -04:00
  • e9baebc2bc bug fix for misspelled variable call (#2800) Terrance DeJesus 2023-05-18 12:45:13 -04:00
  • 7f249e6cc4 [Security Content] Add Google Workspace Investigation Guides (#2540) Terrance DeJesus 2023-05-18 10:16:20 -04:00
  • 836c803e9d Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 (#2797) github-actions[bot] 2023-05-17 12:16:54 -04:00
  • 0b3f603179 [Rule Tuning] Adding Hidden File Attribute via Attrib (#2726) Jonhnathan 2023-05-17 10:23:11 -03:00
  • 9f734c2c1f [Rule Tuning] System Information Discovery via Windows Command Shell (#2741) Jonhnathan 2023-05-17 09:58:21 -03:00
  • 0eed8ce27f [New Rule] SSH Process Launched From Inside A Container (#2794) Isai 2023-05-16 17:32:58 -04:00
  • b0838cc2cb [New Rule] SSH Connection Established Inside A Running Container (#2793) Isai 2023-05-16 16:56:52 -04:00
  • 515d393828 [New Rule] SSH Authorized Keys File Modified Inside a Container (#2792) Isai 2023-05-16 16:30:17 -04:00
  • 648dd8b3ed [New Rule] Interactive Exec Command Launched Against A Running Container (#2791) Isai 2023-05-16 16:09:10 -04:00
  • 9e3dc112b3 [New Rule] Sensitive Files Compression Inside A Container (#2790) Isai 2023-05-16 15:49:42 -04:00
  • d8e9874d54 [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container (#2789) Isai 2023-05-16 15:29:54 -04:00
  • 73f87ad7e6 [New Rule] Suspicious Network Tool Launched Inside A Container (#2759) Isai 2023-05-16 15:21:42 -04:00
  • 5fd155849e [New Rule] File Made Executable via Chmod Inside A Container (#2757) Isai 2023-05-16 15:15:49 -04:00
  • 4c996490ec [New Rule] Netcat Listener Established Inside A Container (#2756) Isai 2023-05-16 15:08:20 -04:00
  • e954b6d7eb [New Rule] Interactive Shell Spawned From Inside a Container (#2752) Isai 2023-05-16 15:02:20 -04:00
  • ee86144565 [New Rule] Container Management Binary Run Inside A Container (#2754) Isai 2023-05-16 14:41:27 -04:00
  • 24974108f3 updated ATT&CK 13.0 to 13.1 (#2795) Terrance DeJesus 2023-05-16 11:01:52 -04:00
  • 9ebffb44ff [New Rules] Ransomware Encryption & Note Creation (#2652) Ruben Groenewoud 2023-05-16 11:30:00 +02:00
  • d017156454 [Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761) Jonhnathan 2023-05-15 20:31:59 -03:00
  • ea9bfc3e2b Update trigger-react.yml (#2779) Mika Ayenson 2023-05-05 13:21:54 -04:00
  • 1293365a7f Rule to detect Potential Linux Credential Dumping via Proc Filesystem (#2751) shashank-elastic 2023-05-05 22:23:15 +05:30
  • 26258f806a [New Rules] Persistence through MOTD (#2608) Ruben Groenewoud 2023-05-05 10:29:15 +02:00
  • 1aea1ee9bb [New rule] Sus File Creation in init.d for Persistence Detected (#2653) Ruben Groenewoud 2023-05-05 09:54:42 +02:00
  • 09719dd0c5 [Rule Tuning] Potential Shell via Web Server (#2585) Ruben Groenewoud 2023-05-05 09:47:49 +02:00
  • c443aadbe1 [FR] Add base pipeline to trigger react (#2768) Mika Ayenson 2023-05-04 16:44:28 -04:00
  • 6655932190 [Rule Tuning] Startup or Run Key Registry Modification (#2766) Jonhnathan 2023-05-04 09:42:12 -03:00
  • 81bef59236 [FR] Generate mdx docs (#2718) Mika Ayenson 2023-05-03 16:27:30 -04:00
  • 71d93e875e [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms (#2760) Terrance DeJesus 2023-05-03 09:28:59 -04:00
  • 6524acf98a [rule tuning] modified std auth module or config (#2737) Ruben Groenewoud 2023-05-03 09:32:33 +02:00
  • d5350ae6e0 [New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) (#2685) Terrance DeJesus 2023-05-02 23:09:17 -04:00
  • e55679059b updating att&ck to 13.0 (#2755) Terrance DeJesus 2023-05-02 11:17:38 -04:00
  • a04cf186fd [Bug][FR] Remove Rule Type Change Restriction and Fix Version Lock Bug (#2769) Terrance DeJesus 2023-05-02 11:00:36 -04:00
  • 855ba16299 Linux Rule Tuning (#2753) shashank-elastic 2023-05-02 19:12:13 +05:30
  • 7435ac39d2 [Rule Tuning] added rule name override for cloud_defend integration rule (#2767) Karl Godard 2023-05-01 21:05:24 -07:00
  • 792da36fb9 [Bug] Add Cloud Defend to definitions.NON_DATASET_PACKAGES (#2764) Terrance DeJesus 2023-04-28 11:23:48 -04:00
  • 6ecd65721d [FR] Add release-docs workflow and automation (#2745) Mika Ayenson 2023-04-27 11:44:05 -04:00
  • 92945172bb add base of workflow (#2762) Mika Ayenson 2023-04-27 10:03:56 -04:00
  • cd5bc2c44b Update file path regex for /run (#2749) shashank-elastic 2023-04-26 14:02:16 +05:30
  • e254816068 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 (#2748) github-actions[bot] 2023-04-25 13:42:38 -04:00
  • 2c76527922 Make call to TOMLRuleContents.to_dict from TOMLRuleContents.to_api_format (#2742) Justin Ibarra 2023-04-25 10:33:43 -06:00
  • 0107e0fcaa Detect Threat indicators for VMware ESXi servers (#2708) shashank-elastic 2023-04-25 20:17:16 +05:30
  • c60e1a61a9 Updating some rule names (#2744) Apoorva Joshi 2023-04-25 05:01:06 -07:00
  • 597e6e2de1 [Bug] Add --add-historical argument to lock versions workflow (#2739) Terrance DeJesus 2023-04-24 12:12:49 -04:00
  • fadb5c2343 [FR] 8.8 Release Preparation and Update Main Branch to 8.9 (#2734) Terrance DeJesus 2023-04-24 10:13:07 -04:00
  • 2eda02c10e [Rule Tuning] Multiple Logon Failure from the same Source Address (#2588) Samirbous 2023-04-24 13:16:17 +01:00
  • 2996c79ff4 Detect Mount Execution With Hidepid Parameter (#2706) shashank-elastic 2023-04-22 08:00:30 +05:30
  • 84acf004da [Rule Tuning] Component Object Model Hijacking (#2730) Jonhnathan 2023-04-21 18:43:02 -03:00
  • 12d6b49a24 [Rule Tuning] Potential Credential Access via Windows Utilities (#2727) Jonhnathan 2023-04-21 18:27:44 -03:00
  • b5ef2f5f02 [FR] Generate Historical Rule Files in Build Release Packages (#2715) Terrance DeJesus 2023-04-21 11:03:29 -04:00
  • 255c53cff0 [Rule Tuning] Connection to Commonly Abused Web Services (#2728) Jonhnathan 2023-04-20 18:26:00 -03:00
  • b1e3215cd5 [Rule Tuning] Tune PowerShell rule FPs related to MS ATP (#2729) Jonhnathan 2023-04-20 12:37:06 -03:00
  • 2705df81e2 Tune Shell evasion Rule to incorporate GTFOArgs shell evasion (#2687) shashank-elastic 2023-04-20 18:35:18 +05:30
  • f7aa477536 Correct Event Action to include endgame event schema (#2610) shashank-elastic 2023-04-20 17:28:01 +05:30
  • 94baa89ea8 New Rule to identify defense evasion via PRoot (#2625) shashank-elastic 2023-04-20 17:14:01 +05:30
  • 8ef2f6557b Patch to allow integration validation if ECS/beats fails (#2701) eric-forte-elastic 2023-04-18 19:43:35 +00:00
  • fb09208132 [Rule Tuning] Connection to Commonly Abused Web Services (#2717) Jonhnathan 2023-04-18 09:15:47 -03:00
  • f21a9e4793 updating min stack comments (#2712) Terrance DeJesus 2023-04-12 14:30:34 -04:00
  • 894e34f82c [Bug] Add new-package argument to bump-pkg-versions CLI (#2703) Terrance DeJesus 2023-04-12 13:48:58 -04:00
  • d6f277e379 [New Rule] Google Workspace New OAuth Login from Third-Party Application (#2677) Terrance DeJesus 2023-04-12 09:40:31 -04:00
  • 4511ab0666 [Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace (#2674) Terrance DeJesus 2023-04-12 09:15:58 -04:00
  • 16749e45ae [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process (#2704) Jonhnathan 2023-04-11 13:47:52 -03:00