security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • e9ebb1f2d8 [Bug] Rename 8.7 schemas from *.master and strip build time fields (#2707) Mika Ayenson 2023-04-11 10:56:20 -04:00
  • 6edfb32160 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7 (#2702) github-actions[bot] 2023-04-10 11:24:16 -04:00
  • d1aadde671 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#2671) (#2672) Eric 2023-04-06 12:15:57 -06:00
  • d0ea8c6f98 [New Rule] new CWP rule to surface alerts from the cloud_defend integration (#2679) Karl Godard 2023-04-05 17:31:03 -07:00
  • 1a9b0e732c [Rule Tuning] Potential PowerShell HackTool Script by Function Names (#2692) Jonhnathan 2023-04-05 16:48:33 -03:00
  • eafe54c2cc [Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot (#2691) Jonhnathan 2023-04-05 13:28:57 -03:00
  • 5aaac84f3a [Rule Tuning] Suspicious service was installed in the system (#2693) Jonhnathan 2023-04-05 13:23:47 -03:00
  • 0c8d0bfd3d [New Rule] Suspicious Execution via Microsoft Office Add-Ins (#2651) Samirbous 2023-04-05 17:02:04 +01:00
  • e878f4b820 adding fix for unit testing that broke in 8.3 (#2683) Terrance DeJesus 2023-04-03 10:11:26 -04:00
  • 71d12bdda4 [Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests (#2682) Terrance DeJesus 2023-04-03 09:42:40 -04:00
  • 51d50b7d8a [New Rule] Lsass Process Access - Generic (#2613) Samirbous 2023-04-03 14:34:30 +01:00
  • 9713384888 Add Rule Id and Rule Name to the RTA Test List Function (#2680) Charlie Pichette 2023-03-31 16:08:42 -04:00
  • 94621d7567 Update layer version to 4.4 (#2676) eric-forte-elastic 2023-03-30 16:29:17 +00:00
  • 892757f4a4 [New Rule] Potential Pass The Hash (#2670) Samirbous 2023-03-29 19:37:27 +01:00
  • 5ed2120e3f [Rule Tuning] Potential Credential Access via Windows Utilities (#2659) Jonhnathan 2023-03-29 09:32:36 -03:00
  • 411ec36ff0 Validate markdown plugin fields (#2602) Justin Ibarra 2023-03-28 07:17:50 -06:00
  • 7e28b8fc50 [FR] Support Rule Alert Suppression in Rule Schema (#2660) Terrance DeJesus 2023-03-27 15:37:35 -04:00
  • 192047f46d [Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell (#2663) Jonhnathan 2023-03-27 11:50:53 -03:00
  • 3bfe3060a2 [Rule Tuning] Uncommon Registry Persistence Change (#2538) Ruben Groenewoud 2023-03-26 00:35:23 +01:00
  • 11d79912f1 [FR] Add new macOS RTAs for Endpoint Rules - 2 (#2661) Mika Ayenson 2023-03-24 17:29:22 -04:00
  • 62ec0ae086 [FR] Add new macOS RTAs for Endpoint Rules (#2632) Mika Ayenson 2023-03-24 16:53:37 -04:00
  • 76500f0d46 [New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User (#2654) Terrance DeJesus 2023-03-24 12:21:56 -04:00
  • fd0d7a1d00 [RTA] Adds RTAs to Windows Rules - 2 (#2628) Jonhnathan 2023-03-24 10:13:12 -03:00
  • 95b8b1688b [RTA] Add RTAs for Endpoint Rules - 2 (#2633) Jonhnathan 2023-03-24 09:55:32 -03:00
  • 5c792b86d7 [RTA] Adds RTAs for endpoint rules (#2621) Jonhnathan 2023-03-23 18:14:06 -03:00
  • 32ca0001ff [Rule Tuning] Untrusted Driver Loaded (#2656) Jonhnathan 2023-03-23 08:26:52 -03:00
  • 0d1fca454a New Rule: Suspicious Mining Process Creation Event (#2531) Ruben Groenewoud 2023-03-21 16:35:25 +01:00
  • 7be5788945 [New Rule] Google Workspace Resource Copied from External Drive (#2627) Terrance DeJesus 2023-03-20 14:37:58 -04:00
  • 2c5470349c [New Rule] External User Added to Private Organization Group (#2577) Terrance DeJesus 2023-03-20 14:32:42 -04:00
  • f41c5288cc [RTA] New RTAs for Windows Rules (#2426) Jonhnathan 2023-03-20 07:56:51 -03:00
  • eab30d7456 [Rule Tuning] Namespace Manipulation Using Unshare (#2599) Ruben Groenewoud 2023-03-20 11:36:47 +01:00
  • f40ad93224 [Bug] Failed CI Unit Tests from Marshmallow Dataclass and Typing Updates (#2645) Terrance DeJesus 2023-03-17 16:38:35 -04:00
  • 672211500c [Rule Fix] Privileged SSH Brute Force Detected (#2595) Ruben Groenewoud 2023-03-14 15:42:58 -04:00
  • f52a744259 [New Rule] RC Script Creation (#2607) Ruben Groenewoud 2023-03-14 20:03:41 +01:00
  • 295fc323a1 [Rule Tunings] System Time & Service Discovery (#2589) Ruben Groenewoud 2023-03-14 19:43:21 +01:00
  • 1a5bc7e924 [Rule Tuning] Abnormal PID or Lock File Created (#2600) Ruben Groenewoud 2023-03-14 19:37:00 +01:00
  • 87c66f923e Update commit-and-push.sh (#2640) Mika Ayenson 2023-03-09 17:31:19 -05:00
  • 40eff15fbe Update manual-backport.yml (#2639) Mika Ayenson 2023-03-09 16:42:09 -05:00
  • 0a637a3d86 Update manual-backport.yml (#2638) Mika Ayenson 2023-03-09 16:09:59 -05:00
  • 2b7d249125 Update manual-backport.yml (#2637) Mika Ayenson 2023-03-09 15:31:44 -05:00
  • 73555c737d Update manual-backport.yml (#2636) Mika Ayenson 2023-03-09 15:11:07 -05:00
  • 41ca459532 Update manual-backport.yml (#2635) Mika Ayenson 2023-03-09 14:15:12 -05:00
  • 9cb7123a72 [FR] Add enhancements to release-fleet workflow (#2612) Terrance DeJesus 2023-03-08 17:34:31 -05:00
  • 00102812b4 [Tweak] Use global constants to speed up tests (#2629) Justin Ibarra 2023-03-07 19:19:59 -09:00
  • 181b56c636 [Rule Tuning] Process Created with an Elevated Token (TiWorker.exe) (#2622) Terrance DeJesus 2023-03-07 19:57:34 -05:00
  • cd6a5983c6 Speed up unit tests (#2626) Justin Ibarra 2023-03-07 14:40:41 -09:00
  • 38b8311482 [Security Content] Expand Abbreviated Tags (#2414) Jonhnathan 2023-03-06 17:37:52 -03:00
  • 0273d118a6 [Rule Tuning] Add endgame support for Windows Rules (#2428) Jonhnathan 2023-03-06 12:47:11 -03:00
  • 114d6e600d [Test] Restrict host.os.type unit test to 8.3+ (#2615) Justin Ibarra 2023-03-05 10:01:43 -09:00
  • 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) Justin Ibarra 2023-03-05 09:41:19 -09:00
  • a71620a99b [Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell (#2614) Jonhnathan 2023-03-05 14:59:17 -03:00
  • bb4f7acf27 deprecate 'Google Workspace User Group Access Modified to Allow External Access' (#2576) Terrance DeJesus 2023-03-02 11:29:14 -05:00
  • 46b18b5a07 [New Rule] Google Workspace - Suspended User Account Renewed (#2592) Terrance DeJesus 2023-03-02 11:23:49 -05:00
  • 2605a341a9 Include base rule fields in enriched indexes (#2547) Justin Ibarra 2023-03-02 06:30:55 -09:00
  • 1a4510c9d4 [Security Content] Add Investigation Guides to Windows Rules - 2 (#2534) Jonhnathan 2023-03-01 21:23:09 -03:00
  • 66a0cbb5de [Bug] Fix release-* Github Workflows and Review integrations-pr command (#2605) Terrance DeJesus 2023-03-01 10:43:16 -05:00
  • 5f83433ecb New Rule to identify potential linux credential dumping (#2604) shashank-elastic 2023-03-01 21:00:02 +05:30
  • 539cd945a9 New Rule to identify iptables or firewall disabling. (#2591) shashank-elastic 2023-03-01 17:14:45 +05:30
  • 66359012c3 [Rule Tuning] Potential Shadow File Read via CLI (#2594) Ruben Groenewoud 2023-02-28 18:26:38 +01:00
  • fd0120d98b [FR] Use Read token on branch status checks (#2598) Mika Ayenson 2023-02-24 09:17:07 -05:00
  • c3d8bac402 [Security Content] Add Investigation Guides to Windows rules (#2521) Jonhnathan 2023-02-22 18:13:13 -03:00
  • f17b6f1702 [Security Content] Fix verbiage used on Osquery Note (#2513) Jonhnathan 2023-02-22 12:33:23 -03:00
  • 9bef3857f9 [Rule Tuning] Remote System Discovery Commands (#2500) Isai 2023-02-21 18:39:51 -05:00
  • f04ebf277c [Rule Tuning] (#2537) Isai 2023-02-15 14:58:29 -05:00
  • 73d581500c [Bug] Change YAML Dump Parameters for Integrations Changelog (#2545) Terrance DeJesus 2023-02-14 12:10:41 -05:00
  • 7df801f5c2 [Rule Tuning] Add missing techniques (#2482) Isai 2023-02-10 15:07:19 -05:00
  • c07ced2ce4 Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7 (#2542) github-actions[bot] 2023-02-10 14:11:33 -05:00
  • f8d26f4ce0 [Bug] Removed Strip Calls in Favor of F-Strings with Major and Minor Versions (#2541) Terrance DeJesus 2023-02-10 13:18:53 -05:00
  • f8e97da549 Rule Tuning Update MITRE Details (#2526) shashank-elastic 2023-02-10 23:05:28 +05:30
  • 8a7ad13611 [FR] 8.7 Release Preparation and Update Main Branch to 8.8 (#2533) Terrance DeJesus 2023-02-08 17:27:21 -05:00
  • 60115443a4 Validate against beats and integrations schemas (#2524) Mika Ayenson 2023-02-08 12:01:31 -05:00
  • 443478c8c0 [Rule Tuning] Rule Tunings to add T1078 technique and subtechniques (#2530) Isai 2023-02-08 11:18:13 -05:00
  • 58ba72d5bf patch fix for 2503 update addressing separate bugs (#2528) Terrance DeJesus 2023-02-07 16:09:17 -05:00
  • 4054eb43d1 patch fix for 2503 (#2527) Terrance DeJesus 2023-02-07 15:40:51 -05:00
  • fb2b4529c5 [FR] Adapt PyPi semver Library and Remove Custom (#2503) Terrance DeJesus 2023-02-07 14:26:29 -05:00
  • 9ce8faebea Updated ECS mappings from keyword to wildcard (#2518) eric-forte-elastic 2023-02-07 09:43:19 -05:00
  • 54b2f7582e Update defense_evasion_unusual_ads_file_creation.toml (#2522) Nic 2023-02-07 06:40:42 -06:00
  • 51b7df8613 Check integrations cross major versions for older release support (#2520) Mika Ayenson 2023-02-02 18:17:02 -05:00
  • e6ba0055fb Resolve backport checks on 2470 by checking Version min_stack (#2519) Mika Ayenson 2023-02-02 17:29:30 -05:00
  • 1784429aa7 [FR] Add Integration Schema Query Validation (#2470) Mika Ayenson 2023-02-02 16:22:44 -05:00
  • cd2307ba7d [New Rule] FirstTimeSeen User Performing DCSync (#2433) Samirbous 2023-02-02 15:44:31 +00:00
  • 4bfcbeab36 [Rule Tuning] Unusual Network Activity from a Windows System Binary (#2509) Jonhnathan 2023-02-01 13:19:28 -03:00
  • 748bdbf8b1 [New Rule] Enumerating Domain Trusts via Dsquery.exe (#2508) Isai 2023-02-01 10:27:42 -05:00
  • c6125004c1 [New Rules] WSL Related Rules (#2463) Samirbous 2023-02-01 15:10:28 +00:00
  • 7fe08e7856 Update persistence_service_windows_service_winlog.toml (#2516) Samirbous 2023-02-01 14:34:30 +00:00
  • be5cd23a64 [New Rules] Code Signing Policy Modification (#2510) Ruben Groenewoud 2023-02-01 15:30:15 +01:00
  • 5a31cb250d [Rule Tuning] Unusual File Modification by dns.exe (#2505) Jonhnathan 2023-02-01 11:10:05 -03:00
  • 8c2cbae5a8 [New Rule] Potential PowerShell HackTool Script by Function Names (#2474) Jonhnathan 2023-01-31 17:21:36 -03:00
  • 8e02c60ef6 [Rule Tuning] Enclose Rule Conditions within Parenthesis (#2486) Jonhnathan 2023-01-31 16:56:19 -03:00
  • 99f177a5ae [Rule Tuning] Potential Credential Access via DCSync (#2501) Jonhnathan 2023-01-31 16:50:39 -03:00
  • 8519fad243 [Rule Tuning] Potential Remote Credential Access via Registry (#2511) Jonhnathan 2023-01-31 15:09:32 -03:00
  • d636f2d465 [Rule Tuning] T1069 and T1087 - admin wildcard (#2484) Isai 2023-01-30 22:01:52 -05:00
  • 5575400ee9 [Security Content] Add Investigation Guides for ML rules (#2405) Jonhnathan 2023-01-30 13:12:45 -03:00
  • 54f65abdb0 [Rule Tuning] Potential Shadow Credentials added to AD Object (#2498) Jonhnathan 2023-01-30 09:14:23 -03:00
  • b8adffa469 [New Rule] System Service Discovery through built-in Windows Utilities (#2491) Ruben Groenewoud 2023-01-29 19:15:17 +01:00
  • c5ce910d3a Create defense_evasion_timestomp_sysmon.toml (#2476) Samirbous 2023-01-27 21:32:03 +00:00
  • b8dcc6ab4b [New Rules] C2 via BITS and CertReq (#2466) Samirbous 2023-01-27 20:17:36 +00:00
  • e737b4eb7c [Tuning] added T1021.006 and T1563.001 (#2497) Samirbous 2023-01-27 19:51:22 +00:00
  • a1df310e56 [New Rule] T1553.006 - Untrusted Driver Loaded (#2499) Samirbous 2023-01-27 19:46:35 +00:00
  • 2372602c4e [New Rules] Amsi Bypass (#2473) Samirbous 2023-01-26 06:03:53 +00:00