sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Select branches

Hide Pull Requests

main

7.11

ML-Beaconing-20211130-1

ML-Beaconing-20211216-1

ML-DGA-20201111-1

ML-DGA-20201111-2

ML-DGA-20201111-3

ML-DGA-20201118-1

ML-DGA-20201216-1

ML-DGA-20210421-2

ML-DGA-20210421-3

ML-DGA-20210601-3

ML-DGA-20210602-3

ML-DGA-20210604-4

ML-DGA-20210629-5

ML-DGA-20210706-5

ML-HostRiskScore-20210728-1

ML-HostRiskScore-20210803-1

ML-HostRiskScore-20210826-2

ML-HostRiskScore-20211007-3

ML-HostRiskScore-20220210-4

ML-HostRiskScore-20220215-4

ML-HostRiskScore-20220228-5

ML-HostRiskScore-20220404-5

ML-ProblemChild-20210519-1

ML-ProblemChild-20210520-1

ML-ProblemChild-20210526-1

ML-ProblemChild-20210602-1

ML-URLSpoof-20210804-1

ML-URLSpoof-20210805-1

ML-UserRiskScore-20220628-1

ML-UserRiskScore-20220812-2

ML-experimental-detections-20200506-3

ML-experimental-detections-20201028-1

ML-experimental-detections-20201029-1

ML-experimental-detections-20201118-1

ML-experimental-detections-20201209-1

ML-experimental-detections-20201221-2

ML-experimental-detections-20210527-4

ML-experimental-detections-20210602-4

ML-experimental-detections-20210603-5

ML-experimental-detections-20210804-6

ML-experimental-detections-20210805-6

ML-experimental-detections-20211130-7

apr_2025_updates

aug_2025_updates

august_updates

dev-v0.1.0

dev-v0.1.2

dev-v0.1.3

dev-v0.1.4

dev-v0.1.5

dev-v0.1.6

dev-v0.1.7

dev-v0.2.0

dev-v0.2.1

dev-v0.3.0

dev-v0.3.1

dev-v0.3.10

dev-v0.3.11

dev-v0.3.12

dev-v0.3.13

dev-v0.3.14

dev-v0.3.15

dev-v0.3.16

dev-v0.3.17

dev-v0.3.18

dev-v0.3.19

dev-v0.3.2

dev-v0.3.3

dev-v0.3.4

dev-v0.3.5

dev-v0.3.6

dev-v0.3.7

dev-v0.3.8

dev-v0.3.9

dev-v0.4.0

dev-v0.4.1

dev-v0.4.10

dev-v0.4.11

dev-v0.4.12

dev-v0.4.13

dev-v0.4.14

dev-v0.4.15

dev-v0.4.16

dev-v0.4.17

dev-v0.4.18

dev-v0.4.19

dev-v0.4.2

dev-v0.4.20

dev-v0.4.21

dev-v0.4.22

dev-v0.4.23

dev-v0.4.24

dev-v0.4.25

dev-v0.4.26

dev-v0.4.3

dev-v0.4.4

dev-v0.4.5

dev-v0.4.6

dev-v0.4.7

dev-v0.4.8

dev-v0.4.9

dev-v1.0.0

dev-v1.0.1

dev-v1.0.10

dev-v1.0.13

dev-v1.0.14

dev-v1.0.15

dev-v1.0.16

dev-v1.0.17

dev-v1.0.18

dev-v1.0.2

dev-v1.0.3

dev-v1.0.4

dev-v1.0.5

dev-v1.0.6

dev-v1.0.7

dev-v1.0.8

dev-v1.0.9

dev-v1.1.0

dev-v1.1.1

dev-v1.1.2

dev-v1.1.3

dev-v1.1.4

dev-v1.1.5

dev-v1.1.6

dev-v1.1.7

dev-v1.2.0

dev-v1.2.1

dev-v1.2.10

dev-v1.2.11

dev-v1.2.12

dev-v1.2.13

dev-v1.2.14

dev-v1.2.15

dev-v1.2.16

dev-v1.2.17

dev-v1.2.18

dev-v1.2.19

dev-v1.2.2

dev-v1.2.20

dev-v1.2.21

dev-v1.2.22

dev-v1.2.23

dev-v1.2.24

dev-v1.2.25

dev-v1.2.26

dev-v1.2.3

dev-v1.2.4

dev-v1.2.5

dev-v1.2.7

dev-v1.2.8

dev-v1.2.9

dev-v1.3.0

dev-v1.3.1

dev-v1.3.10

dev-v1.3.11

dev-v1.3.12

dev-v1.3.13

dev-v1.3.14

dev-v1.3.15

dev-v1.3.16

dev-v1.3.17

dev-v1.3.18

dev-v1.3.19

dev-v1.3.2

dev-v1.3.20

dev-v1.3.21

dev-v1.3.22

dev-v1.3.23

dev-v1.3.24

dev-v1.3.25

dev-v1.3.26

dev-v1.3.27

dev-v1.3.28

dev-v1.3.29

dev-v1.3.3

dev-v1.3.30

dev-v1.3.31

dev-v1.3.32

dev-v1.3.33

dev-v1.3.4

dev-v1.3.5

dev-v1.3.6

dev-v1.3.7

dev-v1.3.9

dev-v1.4.0

dev-v1.4.1

dev-v1.4.10

dev-v1.4.11

dev-v1.4.12

dev-v1.4.2

dev-v1.4.3

dev-v1.4.4

dev-v1.4.5

dev-v1.4.6

dev-v1.4.7

dev-v1.4.8

dev-v1.4.9

dev-v1.5.0

dev-v1.5.1

dev-v1.5.10

dev-v1.5.11

dev-v1.5.12

dev-v1.5.13

dev-v1.5.14

dev-v1.5.15

dev-v1.5.16

dev-v1.5.17

dev-v1.5.18

dev-v1.5.19

dev-v1.5.2

dev-v1.5.20

dev-v1.5.21

dev-v1.5.22

dev-v1.5.23

dev-v1.5.24

dev-v1.5.25

dev-v1.5.26

dev-v1.5.27

dev-v1.5.28

dev-v1.5.29

dev-v1.5.3

dev-v1.5.31

dev-v1.5.32

dev-v1.5.33

dev-v1.5.34

dev-v1.5.35

dev-v1.5.36

dev-v1.5.37

dev-v1.5.38

dev-v1.5.39

dev-v1.5.4

dev-v1.5.40

dev-v1.5.41

dev-v1.5.42

dev-v1.5.43

dev-v1.5.44

dev-v1.5.45

dev-v1.5.46

dev-v1.5.47

dev-v1.5.48

dev-v1.5.49

dev-v1.5.5

dev-v1.5.50

dev-v1.5.51

dev-v1.5.52

dev-v1.5.53

dev-v1.5.54

dev-v1.5.56

dev-v1.5.6

dev-v1.5.7

dev-v1.5.8

dev-v1.5.9

dev-v1.6.0

dev-v1.6.1

dev-v1.6.10

dev-v1.6.11

dev-v1.6.12

dev-v1.6.13

dev-v1.6.14

dev-v1.6.15

dev-v1.6.16

dev-v1.6.17

dev-v1.6.18

dev-v1.6.19

dev-v1.6.2

dev-v1.6.20

dev-v1.6.21

dev-v1.6.22

dev-v1.6.23

dev-v1.6.24

dev-v1.6.25

dev-v1.6.26

dev-v1.6.28

dev-v1.6.29

dev-v1.6.3

dev-v1.6.30

dev-v1.6.31

dev-v1.6.32

dev-v1.6.4

dev-v1.6.5

dev-v1.6.6

dev-v1.6.7

dev-v1.6.8

dev-v1.6.9

dev7.10-ML-DGA-v0.1.0

dev7.10-ML-DGA-v0.1.0.zip

dev7.10-abc-v0.1.0

feb_2025_updates

integration-v0.13.1

integration-v0.13.2

integration-v0.13.3

integration-v0.14.1

integration-v0.14.2

integration-v0.14.3

integration-v0.16.1

integration-v0.16.2

integration-v1.0.1

integration-v1.0.2

integration-v7.16.3

integration-v7.16.4

integration-v7.16.5

integration-v8.1.1

integration-v8.10.1

integration-v8.10.10

integration-v8.10.11

integration-v8.10.12

integration-v8.10.13

integration-v8.10.14

integration-v8.10.15

integration-v8.10.16

integration-v8.10.17

integration-v8.10.18

integration-v8.10.2

integration-v8.10.3

integration-v8.10.4

integration-v8.10.5

integration-v8.10.6

integration-v8.10.7

integration-v8.10.8

integration-v8.10.9

integration-v8.11.1

integration-v8.11.10

integration-v8.11.11

integration-v8.11.12

integration-v8.11.13

integration-v8.11.14

integration-v8.11.15

integration-v8.11.16

integration-v8.11.17

integration-v8.11.18

integration-v8.11.19

integration-v8.11.2

integration-v8.11.20

integration-v8.11.21

c8cf88cd62 Refresh ECS (1.12.1) and beats (7.15.1) schemas (#1584) Justin Ibarra 2021-10-28 11:24:28 -05:00
fa3b089c4c Add support for eql-wildcard and kql-match_only_text (#1583) Justin Ibarra 2021-10-28 08:57:43 -05:00
d12c04761f Add support for eql-wildcard and kql-match_only_text (#1583) Justin Ibarra 2021-10-28 08:57:43 -05:00
3e717800a8 Updating docs to highlight explainability (#1542) Apoorva Joshi 2021-10-26 13:34:19 -07:00
0b57778be6 Updating docs to highlight explainability (#1542) Apoorva Joshi 2021-10-26 13:34:19 -07:00
cb3d90040e [Bug] Tighten definitions validation patterns (#1396) Justin Ibarra 2021-10-26 10:26:20 -05:00
ab17dfcc28 [Bug] Tighten definitions validation patterns (#1396) Justin Ibarra 2021-10-26 10:26:20 -05:00
cd3cef5996 [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) Austin Songer 2021-10-26 10:16:31 -05:00
ef7548f04c [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) Austin Songer 2021-10-26 10:16:31 -05:00
fa4bec7b9a [New Rule] PowerShell MiniDump Script (#1528) Jonhnathan 2021-10-26 12:09:16 -03:00
239384497f [New Rule] PowerShell MiniDump Script (#1528) Jonhnathan 2021-10-26 12:09:16 -03:00
5ca067e3e3 Add missing Integration field (#1537) Jonhnathan 2021-10-26 12:05:12 -03:00
4524c175c8 Add missing Integration field (#1537) Jonhnathan 2021-10-26 12:05:12 -03:00
ba09596949 [New Rule] AWS Route Table Created (#1257) Austin Songer 2021-10-26 08:25:53 -05:00
89553d84a9 [New Rule] AWS Route Table Created (#1257) Austin Songer 2021-10-26 08:25:53 -05:00
e81362e6ec Add test for improper rule demotion (released production -> development) (#1555) Justin Ibarra 2021-10-19 21:47:36 -08:00
5a69ceb0c5 Add test for improper rule demotion (released production -> development) (#1555) Justin Ibarra 2021-10-19 21:47:36 -08:00
a28bb7961a Add min_stack_comments to metadata schema (#1573) Justin Ibarra 2021-10-19 20:52:53 -08:00
5bdf70e72c Add min_stack_comments to metadata schema (#1573) Justin Ibarra 2021-10-19 20:52:53 -08:00
27da0d6ed7 [New Rule] Suspicious Portable Executable Encoded in Powershell Script (#1562) Jonhnathan 2021-10-18 17:50:16 -03:00
f50fb1d61b [New Rule] Suspicious Portable Executable Encoded in Powershell Script (#1562) Jonhnathan 2021-10-18 17:50:16 -03:00
db54ea7467 [New Rule] AWS EventBridge Rule Disabled or Deleted (#1572) Austin Songer 2021-10-18 13:36:21 -05:00
3ab67d1562 [New Rule] AWS EventBridge Rule Disabled or Deleted (#1572) Austin Songer 2021-10-18 13:36:21 -05:00
b1e60b6c45 [New Rule] DNS-over-HTTPS Enabled by Registry (#1379) Austin Songer 2021-10-15 21:25:12 -05:00
cf2b3ee753 [New Rule] DNS-over-HTTPS Enabled by Registry (#1379) Austin Songer 2021-10-15 21:25:12 -05:00
66f447cfff [New Rule] AWS EFS File System or Mount Deleted (#1462) Austin Songer 2021-10-15 21:23:07 -05:00
2c39bb962f [New Rule] AWS EFS File System or Mount Deleted (#1462) Austin Songer 2021-10-15 21:23:07 -05:00
1771e33876 [New Rule] AWS Suspicious SAML Activity (#1498) Austin Songer 2021-10-15 21:11:15 -05:00
702524b1f7 [New Rule] AWS Suspicious SAML Activity (#1498) Austin Songer 2021-10-15 21:11:15 -05:00
b090e60bd6 [New Rule] Azure Full Network Packet Capture Detected (#1420) Austin Songer 2021-10-15 21:06:27 -05:00
50501bb40f [New Rule] Azure Full Network Packet Capture Detected (#1420) Austin Songer 2021-10-15 21:06:27 -05:00
69dbb5f655 [New Rule] Azure Virtual Network Device Modified or Deleted (#1421) Austin Songer 2021-10-15 14:11:05 -05:00
790586fb57 [New Rule] Azure Virtual Network Device Modified or Deleted (#1421) Austin Songer 2021-10-15 14:11:05 -05:00
af3571ea6e [New Rule] Azure Kubernetes Pods Deleted (#1309) Austin Songer 2021-10-15 14:07:39 -05:00
761df5fe84 [New Rule] Azure Kubernetes Pods Deleted (#1309) Austin Songer 2021-10-15 14:07:39 -05:00
ecc65a28bc [New Rule] AWS RDS Snapshot Restored (#1312) Austin Songer 2021-10-15 14:05:00 -05:00
dc980effb0 [New Rule] AWS RDS Snapshot Restored (#1312) Austin Songer 2021-10-15 14:05:00 -05:00
8c2c6ea6ec [New Rule] Microsoft 365 - Mass download by a single user (#1348) Austin Songer 2021-10-15 14:01:50 -05:00
3303a4e255 [New Rule] Microsoft 365 - Mass download by a single user (#1348) Austin Songer 2021-10-15 14:01:50 -05:00
9021db6188 [New Rule] AWS Route53 hosted zone associated with a VPC (#1365) Austin Songer 2021-10-15 13:59:33 -05:00
90504915ad [New Rule] AWS Route53 hosted zone associated with a VPC (#1365) Austin Songer 2021-10-15 13:59:33 -05:00
25733e1d67 [New Rule] AWS STS AssumeRole Usage (#1214) Austin Songer 2021-10-15 13:56:10 -05:00
d7eab5bbf3 [New Rule] AWS STS AssumeRole Usage (#1214) Austin Songer 2021-10-15 13:56:10 -05:00
8bb2d27451 [New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267) Austin Songer 2021-10-15 13:42:25 -05:00
27ba204f1c [New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267) Austin Songer 2021-10-15 13:42:25 -05:00
8f55556006 [New Rule] Azure Blob Permissions Modification (#1499) Austin Songer 2021-10-14 04:59:24 -05:00
7123d46623 [New Rule] Azure Blob Permissions Modification (#1499) Austin Songer 2021-10-14 04:59:24 -05:00
358585b2c1 [New Rule] Azure Kubernetes Events Deleted (#1307) Austin Songer 2021-10-14 04:57:33 -05:00
3d15c2072d [New Rule] Azure Kubernetes Events Deleted (#1307) Austin Songer 2021-10-14 04:57:33 -05:00
fe36864c77 [New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548) Jonhnathan 2021-10-14 06:54:45 -03:00
b7dcbbae72 [New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548) Jonhnathan 2021-10-14 06:54:45 -03:00
8964e5d646 [Rule Tuning] Update network.direction (#1547) Jonhnathan 2021-10-13 21:46:36 -03:00
cc241c0b5e [Rule Tuning] Update network.direction (#1547) Jonhnathan 2021-10-13 21:46:36 -03:00
847b08a1bd Lock versions for releases: 7.13,7.14,7.15 (#1545) integration-v0.14.2 github-actions[bot] 2021-10-13 14:23:26 -08:00
c6ddb44445 Lock versions for releases: 7.13,7.14,7.15 (#1545) github-actions[bot] 2021-10-13 14:23:26 -08:00
76a60c5ca8 [New Rule] Microsoft 365 - Impossible travel activity (#1344) Austin Songer 2021-10-12 17:11:32 -05:00
11fa592c6f [New Rule] Microsoft 365 - Impossible travel activity (#1344) Austin Songer 2021-10-12 17:11:32 -05:00
76ca7f5fc9 [New Rule] Microsoft 365 - User Restricted from Sending Email (#1345) Austin Songer 2021-10-12 16:32:54 -05:00
c8ac37957d [New Rule] Microsoft 365 - User Restricted from Sending Email (#1345) Austin Songer 2021-10-12 16:32:54 -05:00
7cf664b160 [New Rule] Microsoft 365 - Unusual Volume of File Deletion (#1347) Austin Songer 2021-10-12 16:30:49 -05:00
fa9da023dd [New Rule] Microsoft 365 - Unusual Volume of File Deletion (#1347) Austin Songer 2021-10-12 16:30:49 -05:00
b4d584fbc6 [New Rule] Microsoft 365 - Potential ransomware activity (#1346) Austin Songer 2021-10-12 16:26:17 -05:00
98c217ece9 [New Rule] Microsoft 365 - Potential ransomware activity (#1346) Austin Songer 2021-10-12 16:26:17 -05:00
088c8a8354 [New Rule] AWS Route Table Modified or Deleted (#1258) Austin Songer 2021-10-12 13:16:48 -05:00
82e72a956b [New Rule] AWS Route Table Modified or Deleted (#1258) Austin Songer 2021-10-12 13:16:48 -05:00
f24b42980d Updating host risk score docs (#1518) Apoorva Joshi 2021-10-07 20:38:24 -07:00
74fa8ebe48 Updating host risk score docs (#1518) Apoorva Joshi 2021-10-07 20:38:24 -07:00
7d9f7e6a56 [New Rule] Rules to detect screensaver persistence on macOS (#1531) David French 2021-10-07 08:22:58 -06:00
cdbd5a6515 [New Rule] Rules to detect screensaver persistence on macOS (#1531) ML-HostRiskScore-20211007-3 David French 2021-10-07 08:22:58 -06:00
9c9ef21878 Update defense_evasion_execution_windefend_unusual_path.toml (#1492) LaZyDK 2021-10-05 21:38:01 +02:00
43f0d77033 Update defense_evasion_execution_windefend_unusual_path.toml (#1492) LaZyDK 2021-10-05 21:38:01 +02:00
bd7616e912 [New Rule] AWS ElastiCache Security Group Created (#1363) Austin Songer 2021-10-05 12:00:29 -05:00
9508002bb3 [New Rule] AWS ElastiCache Security Group Created (#1363) Austin Songer 2021-10-05 12:00:29 -05:00
bd8eeae6ca Made these pull requests before the directory restructure. (#1517) Austin Songer 2021-10-05 07:29:40 -05:00
3b0d2006b7 Made these pull requests before the directory restructure. (#1517) Austin Songer 2021-10-05 07:29:40 -05:00
29d1ee4ae5 [Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514) Austin Songer 2021-10-04 16:31:31 -05:00
0a3c44e8db [Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514) Austin Songer 2021-10-04 16:31:31 -05:00
89cba0af95 [Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524) Andrew Pease 2021-10-04 14:00:35 -05:00
d5a8f41864 [Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524) Andrew Pease 2021-10-04 14:00:35 -05:00
3471522807 [New Rule] Backup Files Deletion (#1516) Jonhnathan 2021-10-04 15:55:52 -03:00
f2b58cc0ab [New Rule] Backup Files Deletion (#1516) Jonhnathan 2021-10-04 15:55:52 -03:00
c2fc2af03b [New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364) Austin Songer 2021-10-04 13:38:37 -05:00
f41714642c [New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364) Austin Songer 2021-10-04 13:38:37 -05:00
d0eaf3ed26 [New Rule] Volume Shadow Copy Deletion via PowerShell (#1358) Austin Songer 2021-10-04 12:58:02 -05:00
6298f7b00a [New Rule] Volume Shadow Copy Deletion via PowerShell (#1358) Austin Songer 2021-10-04 12:58:02 -05:00
8033c0a260 Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511) Jonhnathan 2021-09-30 18:08:35 -03:00
ba9c01be50 Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511) Jonhnathan 2021-09-30 18:08:35 -03:00
ed57d46d15 [Rule Tuning] Small update on rule descriptions (#1508) Jonhnathan 2021-09-30 17:54:15 -03:00
5e4a7e67df [Rule Tuning] Small update on rule descriptions (#1508) Jonhnathan 2021-09-30 17:54:15 -03:00
1c70f69b2f [New Rule] Virtual Machine Fingerprinting via Grep (#1510) Samirbous 2021-09-30 14:40:05 -04:00
76a0224f60 [New Rule] Virtual Machine Fingerprinting via Grep (#1510) Samirbous 2021-09-30 14:40:05 -04:00
6f30bf3f7f [New Rule] Potential Lsass Memory Dump via MirrorDump (#1504) Samirbous 2021-09-30 04:16:36 -04:00
521e4dc8f1 [New Rule] Potential Lsass Memory Dump via MirrorDump (#1504) Samirbous 2021-09-30 04:16:36 -04:00
09f49da822 [New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393) Austin Songer 2021-09-29 12:08:09 -05:00
d28c48f20f [New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393) Austin Songer 2021-09-29 12:08:09 -05:00
ba458dea13 [New Rule] New or Modified Federation Domain (#1212) Austin Songer 2021-09-29 07:16:17 -05:00
a51ed86851 [New Rule] New or Modified Federation Domain (#1212) Austin Songer 2021-09-29 07:16:17 -05:00
17845c2bf9 [New Rule] O365 Exchange Suspicious Mailbox Right Delegation (#1211) Austin Songer 2021-09-27 16:18:33 -05:00
5ac7fb639c [New Rule] O365 Exchange Suspicious Mailbox Right Delegation (#1211) Austin Songer 2021-09-27 16:18:33 -05:00
371247b0b2 [Rule Tuning] Add system index to Windows Event Logs Cleared (#1502) Justin Ibarra 2021-09-24 09:04:56 -08:00

... 40 41 42 43 44 ...