sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

e2c8c7745d [Tuning] Suricata and Elastic Defend Network Correlation (#5583) Samirbous 2026-01-23 12:02:25 +00:00
ccfb69244a [Tuning] Rare Connection to WebDAV Target (#5556) Samirbous 2026-01-23 11:17:19 +00:00
4408ea014b [Rule Tuning] Removing host.os.type from K8s Rules (#5577) Ruben Groenewoud 2026-01-23 10:41:20 +01:00
4e4559204d [Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5603) Isai 2026-01-22 15:01:49 -05:00
5c5185d227 [New] Potential SAP NetWeaver Exploitation rules (#4666) Samirbous 2026-01-22 18:58:02 +00:00
dcd7dadece reverting 07579f2bd7 (#5602) Terrance DeJesus 2026-01-22 13:44:18 -05:00
07579f2bd7 [Rule Tunings] AWS remove target.entity.id and actor.entity.id fields (#5563) Isai 2026-01-21 13:54:56 -05:00
5f4f9d206f [Rule Deprecations] AWS Rule Deprecations (#5568) Isai 2026-01-20 16:05:39 -05:00
9e6bf04e82 [Rule Tunings] AWS Removing Disclaimer from IGs (#5567) Isai 2026-01-20 15:52:48 -05:00
9055d564f5 [Rule Tuning] Web Server Rules (#5581) Jonhnathan 2026-01-20 15:30:57 -03:00
e459d8c25a [Rule Tuning] Potential Disabling of AppArmor - Restore AppArmor service filters (#5574) ailiffa 2026-01-19 06:19:24 -06:00
58b0d8e553 Update discovery_potential_port_scan_detected.toml (#5571) Jonhnathan 2026-01-16 23:21:12 -03:00
31de1789c4 [Tuning] Reduce NewTerm history_window_start for Windows Rules (#5560) Samirbous 2026-01-16 12:46:45 +00:00
4cb9a1775d Update Docs Token Ref (#5562) Eric Forte 2026-01-15 16:01:09 -05:00
891aa8b6d5 [FR] Add keep metadata check to esql schema test (#5441) dev-v1.5.29 Eric Forte 2026-01-14 16:03:24 -05:00
3ab961da42 Docs: improve WinRAR/7-Zip encrypted archive rule guidance (#5547) G. Blue Team Detection 2026-01-12 19:51:08 -03:00
e5291f455c Lock versions for releases: 8.19,9.1,9.2,9.3 (#5553) dev-v1.5.28 github-actions[bot] 2026-01-12 23:52:08 +05:30
ab34f25e54 [New Rules] Ollama Detections (#5546) Mika Ayenson, PhD 2026-01-12 11:05:15 -06:00
dd567e59de [Rule Deprecation] Agent Spoofing - Mismatched Agent ID (#5552) Jonhnathan 2026-01-12 13:44:13 -03:00
1ce072a4e5 Prep for Release 9.3 (#5548) dev-v1.5.27 shashank-elastic 2026-01-12 21:07:07 +05:30
8b84c26286 [Rule Tuning] Okta Sign-In Events via Third-Party IdP - Convert to New Terms (#5544) Terrance DeJesus 2026-01-12 09:40:09 -05:00
7c36743ce6 [New] Multiple Alerts in Same ATT&CK Tactic by Host (#5550) Samirbous 2026-01-12 14:19:51 +00:00
4e5b8be0de [Rule Tuning] New Okta Authentication Behavior Detected (#5542) Terrance DeJesus 2026-01-12 09:01:32 -05:00
de42a5aabd [New Rule] ConsentFix Detections (#5485) Terrance DeJesus 2026-01-12 08:45:50 -05:00
8bc4829432 [Tuning] Multiple Cloud Secrets Accessed by Source Address (#5549) Samirbous 2026-01-12 11:44:31 +00:00
7b4611713b [Rule Tuning] Entra ID Protection Sign-in and User Risk Detection Rules - Filter Remediated Risk States (#5535) Terrance DeJesus 2026-01-09 11:27:52 -05:00
2d5d826be7 [New] Multiple External EDR Alerts by Host (#5540) Samirbous 2026-01-09 15:51:51 +00:00
f123ffa0f8 [Rule Tuning] GenAI DR Tuning (#5506) Mika Ayenson, PhD 2026-01-09 08:23:03 -06:00
b39cfc34e6 [New] First Time Seen Elastic Defend Behavior Alert (#5528) Samirbous 2026-01-09 10:34:32 +00:00
5081735acc [New] Potential Persistence via Mandatory User Profile (#5530) Samirbous 2026-01-09 09:35:47 +00:00
fde2fa972e [Tuning] Process Created with an Elevated Token (#5532) Samirbous 2026-01-09 09:23:37 +00:00
e7cb01778b [Tuning] SMB (Windows File Sharing) Activity to the Internet (#5533) Samirbous 2026-01-08 21:52:09 +00:00
34daf12d51 [New Rules] Several GitHub Related Rules (#5470) Ruben Groenewoud 2026-01-08 17:19:12 +01:00
11769a4be3 [New/Tuning] Several New Linux Rules (#5531) Ruben Groenewoud 2026-01-08 16:00:50 +01:00
ee936cb154 [New Rule] Potential Password Spraying Attack via SSH (#5515) Ruben Groenewoud 2026-01-08 13:43:52 +01:00
1c1632e0b9 [Rule Tuning] Linux DR Tuning - 3 (#5483) Ruben Groenewoud 2026-01-08 13:32:43 +01:00
e1698890a4 [Rule Tuning] Linux DR Tuning - 7 (#5504) Ruben Groenewoud 2026-01-08 11:10:46 +01:00
ccd3f70ee8 [Rule Tuning] Linux DR Tuning - 6 (#5497) Ruben Groenewoud 2026-01-08 10:45:32 +01:00
c2747b0b29 [Rule Tuning] Linux DR Tuning - 4 (#5484) Ruben Groenewoud 2026-01-08 10:11:05 +01:00
b13afcdeaa [Rule Tuning] Linux DR Tuning - 8 (#5505) Ruben Groenewoud 2026-01-08 10:01:11 +01:00
d968f62a5a [Rule Tuning] Linux DR Tuning - 10 (#5510) Ruben Groenewoud 2026-01-08 09:32:57 +01:00
f98f4e5a95 [Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5525) Samirbous 2026-01-07 21:03:44 +00:00
98058816a7 [Rule Tuning] Entra ID Excessive Account Lockouts Detected (#5502) Terrance DeJesus 2026-01-07 11:38:04 -05:00
0165b97d30 [New] Suspected Lateral Movement from Compromised Host (#5521) Samirbous 2026-01-07 16:23:16 +00:00
38e2e4766f [Rule Tuning] Linux DR BBR Tuning (#5514) Ruben Groenewoud 2026-01-07 16:52:40 +01:00
ca0f32f28e [Rule Tuning] Linux DR CP Tuning (#5512) Ruben Groenewoud 2026-01-07 16:40:37 +01:00
80ee91b0f2 [Rule Tuning] Linux DR Tuning - 11 (#5511) Ruben Groenewoud 2026-01-07 16:31:13 +01:00
a973da1a6b [Rule Tuning] Linux DR Tuning - 9 (#5508) Ruben Groenewoud 2026-01-07 16:18:38 +01:00
473df70fbb [Rule Tuning] Linux DR Tuning - 5 (#5494) Ruben Groenewoud 2026-01-07 15:55:06 +01:00
066096f766 [Rule Tuning] Linux DR Tuning - 2 (#5481) Ruben Groenewoud 2026-01-06 17:00:55 +01:00
019c263ed2 [Rule Tuning] Linux DR Tuning - 1 (#5122) Ruben Groenewoud 2026-01-06 16:18:04 +01:00
08663dee79 Update persistence_webshell_detection.toml (#5524) Samirbous 2026-01-02 15:45:50 +00:00
74d6fe95c9 [New] Multiple Elastic Defend Alerts from Single Process Tree (#5522) Samirbous 2026-01-02 15:13:25 +00:00
c7adfd8b6d [Tuning] Elastic Defend and Network Security Alerts Correlation (#5518) Samirbous 2026-01-02 14:40:06 +00:00
f337926c52 Update initial_access_execution_susp_react_serv_child.toml (#5503) Samirbous 2026-01-01 18:27:33 +00:00
b0d3d7d960 [Rule Tuning] Entra ID OAuth PRT Issuance to Non-Managed Device Detected (#5464) Terrance DeJesus 2025-12-21 16:30:32 -05:00
0fd3df6239 [Rule Tuning] Entra ID User Sign-in with Unusual Registered Device (#5466) Terrance DeJesus 2025-12-21 15:51:13 -05:00
a14a1fd068 [Rule Tuning] AWS Service Quotas Multi-Region GetServiceQuota Requests (#5468) Isai 2025-12-19 16:46:45 -05:00
284d7d5b23 [Rule Tuning] AWS SQS Queue Purge (#5457) Isai 2025-12-19 15:51:43 -05:00
e8f317817e [Rule Tunings] AWS Config Rule Tunings (#5456) Isai 2025-12-19 13:58:45 -05:00
97b0bd84d8 [Rule Tunings] AWS Lambda Rules (#5451) Isai 2025-12-19 13:45:47 -05:00
12d257ed56 [Rule Tuning] AWS EC2 EBS Snapshot Access Removed (#5499) Isai 2025-12-19 13:28:27 -05:00
dd707b384d [Bug] Importing rules from directory uses wrong type (#5428) dev-v1.5.26 Eric Forte 2025-12-19 12:41:09 -05:00
b956a4350f [Rule Tuning] Multiple Alerts Involving a User (#5498) Jonhnathan 2025-12-19 12:57:25 -03:00
1d64bf0d76 [Rule Tuning] Potential Network Scan Detected (#5495) Jonhnathan 2025-12-19 12:38:57 -03:00
5bc834bfc6 [Rule Tuning] Shared Object Created or Changed by Previously Unknown … (#5469) Ruben Groenewoud 2025-12-19 14:32:31 +01:00
30883ab9c0 [New] React2Shell Network Security Alert (#5445) dev-v1.5.25 Samirbous 2025-12-19 12:22:44 +00:00
95cf506c9d [New] Suricata and Elastic Defend Network Correlation (#5443) Samirbous 2025-12-19 09:08:31 +00:00
4c9317b9cc [Rule Tuning] Entra ID User Sign-in with Unusual Client (#5473) Terrance DeJesus 2025-12-18 20:04:11 -05:00
1bd7dea8ed [Rule Tuning] Entra ID OAuth user_impersonation Scope for Unusual User and Client (#5462) Terrance DeJesus 2025-12-18 19:55:02 -05:00
bc6ad03f86 [Rule Tuning] AWS EventBridge Rule Disabled or Deleted (#5458) Isai 2025-12-18 16:56:04 -05:00
ed42a9e9dd [Rule Tuning] AWS CLI with Kali Linux Fingerprint Identified (#5467) Isai 2025-12-18 16:13:34 -05:00
c35a5801cd [Rule Tunings] AWS Route53 Rules (#5448) Isai 2025-12-18 14:49:10 -05:00
a1e40de4a5 [New] Alerts From Multiple Integrations by Entity (#5460) Samirbous 2025-12-18 18:04:58 +00:00
25545b5802 [Rule Tunings] AWS New Terms History Window Reduction (#5479) Isai 2025-12-18 11:47:59 -05:00
d1f9ebb890 [Rule Tunings] AWS WAF Rules (#5429) Isai 2025-12-18 11:27:37 -05:00
f9ba8a8f71 [Tuning] Top Noisy Windows BBR (#5480) Samirbous 2025-12-18 16:01:58 +00:00
b996a29451 [Tuning] Diverse Rules Tuning (#5482) Samirbous 2025-12-18 15:30:12 +00:00
57f18a1dcf [New Rule] GitHub Actions Bot Pushed to Repository for First Time (#5438) Terrance DeJesus 2025-12-18 09:58:57 -05:00
1119c3f137 [Docs] Fix Docs Unit Test (#5496) dev-v1.5.24 Jonhnathan 2025-12-18 10:56:09 -03:00
a9bdfaaea3 [Rule Tuning] PowerShell Rules - Misc Tuning/Severity Bumps (#5486) Jonhnathan 2025-12-18 08:30:22 -03:00
5ec8e3e500 [Rule Tuning] Communication App Rules (#5487) Jonhnathan 2025-12-18 07:38:18 -03:00
f43bf99698 [New Rule] GitHub Actions Workflow Injection Blocked (#5433) Terrance DeJesus 2025-12-17 14:29:33 -05:00
6ac69db7ba [Tuning] Elastic Defend and Email Alerts Correlation (#5459) dev-v1.5.23 Samirbous 2025-12-15 15:33:10 +00:00
a16307ecff [New/Tuning] Linux Tunneling Rules (#5452) Ruben Groenewoud 2025-12-15 10:44:08 +01:00
294e8292b8 [Rule Tuning] Security File Access via Common Utilities (#5453) Ruben Groenewoud 2025-12-15 10:25:36 +01:00
2cc1a341de Update lateral_movement_credential_access_kerberos_correlation.toml (#5455) Samirbous 2025-12-12 18:14:26 +00:00
a6548d9773 Update defense_evasion_agent_spoofing_multiple_hosts.toml (#5446) Samirbous 2025-12-12 17:47:11 +00:00
ef0ec1ac83 Update defense_evasion_suspicious_short_program_name.toml (#5454) Samirbous 2025-12-12 17:25:00 +00:00
3726611b93 [Tuning] Top Noisy Rules (#5449) Samirbous 2025-12-12 14:28:12 +00:00
2b1a4acae0 [Rule Tuning] Suspicious Network Connection via systemd (#5432) Ruben Groenewoud 2025-12-12 13:28:47 +01:00
d16ee304d5 [Rule Tuning] Unusual Web Server Command Execution (#5450) Ruben Groenewoud 2025-12-12 13:01:12 +01:00
fcb6c3c433 [Tuning] Suspicious React Server Child Process (#5447) Samirbous 2025-12-12 10:40:23 +00:00
cabf1c2a02 [Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172) Terrance DeJesus 2025-12-10 12:59:50 -05:00
f4085ad873 [Rule Tuning] New GitHub Self Hosted Action Runner (#5436) Terrance DeJesus 2025-12-10 10:55:47 -05:00
8f8ce76012 Update stale.yml Bot (#5434) Mika Ayenson, PhD 2025-12-10 08:56:23 -06:00
7a54ae33a5 [Rule Tuning] Add Missing Metadata to KEEP conditions (#5442) Jonhnathan 2025-12-09 22:05:20 -03:00
56574c99c3 [Rule Tuning] Potential Masquerading as Svchost (#5439) Jonhnathan 2025-12-09 18:56:38 -03:00
793ecfe34a Lock versions for releases: 8.19,9.0,9.1,9.2 (#5426) dev-v1.5.22 github-actions[bot] 2025-12-09 00:29:19 +05:30
b3173ac505 bumping min-stack to 9.0.0 (#5424) Terrance DeJesus 2025-12-08 13:02:59 -05:00

... 2 3 4 5 6 ...