security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • 1fb0b6726e Fix rule filenames during packaging (#1158) ML-experimental-detections-20200506-3 Justin Ibarra 2021-05-05 11:27:04 -08:00
  • 3d7f5d73a4 Allow ML rules to accept a single or array of job IDs (#1167) Justin Ibarra 2021-05-05 08:58:28 -08:00
  • 16b2761415 Allow ML rules to accept a single or array of job IDs (#1167) Justin Ibarra 2021-05-05 08:58:28 -08:00
  • 7040538a9a bump packages version to 7.14 ML-experimental-detections-20210804-6 ML-experimental-detections-20210527-4 ML-URLSpoof-20210804-1 ML-ProblemChild-20210526-1 ML-ProblemChild-20210520-1 ML-ProblemChild-20210519-1 ML-HostRiskScore-20210728-1 ML-DGA-20210629-5 ML-DGA-20210601-3 ML-DGA-20210421-3 ML-DGA-20210421-2 Justin Ibarra 2021-04-30 11:32:18 -08:00
  • 82ec6ac1ee Convert windows rules from KQL to EQL (#1114) Justin Ibarra 2021-04-30 11:21:12 -08:00
  • 92eaa5b18a [New Rule] Threat intel indicator match rule (#1133) Andrew Pease 2021-04-26 07:07:04 -05:00
  • 8362578492 [Rule Tuning] AWS IAM Deactivation of MFA Device (#1132) Austin Songer 2021-04-23 18:52:54 +00:00
  • a0a3143a52 Refresh beats and ecs schemas (#1140) Justin Ibarra 2021-04-22 12:49:06 -05:00
  • 8d8bcfbc42 Add wildcard field support to KQL (#1139) Ross Wolf 2021-04-22 11:15:38 -06:00
  • cabe9239c0 Add threat_match rule type (#1138) Justin Ibarra 2021-04-22 12:03:57 -05:00
  • 8789dd7c90 Separate out query validation from the class hierarchy (#1136) Ross Wolf 2021-04-21 14:55:26 -06:00
  • ff45539369 [Deprecation] Deprecate inherently noisy rules based on testing (#1122) Brent Murphy 2021-04-21 19:10:06 +00:00
  • e656a984b3 Update threshold rule schema to disallow empty field string (#1099) Justin Ibarra 2021-04-15 17:22:45 -05:00
  • 791c911b9e Merge branch '7.12' into main Ross Wolf 2021-04-15 16:17:59 -06:00
  • 5669988e0b Remove unnecessary required=False check Ross Wolf 2021-04-15 16:16:42 -06:00
  • 0400dc207a [Deprecation] Process Discovery via Tasklist (#1116) Samirbous 2021-04-15 22:18:56 +02:00
  • e323084433 [Deprecation] Trusted Developer Application Usage (#1118) Samirbous 2021-04-15 22:15:38 +02:00
  • 170b87097d [New Rule] Potential Protocol Tunneling via EarthWorm (#1094) Samirbous 2021-04-15 10:17:56 +02:00
  • b0f449339d add branch_name option to kibana-commit command Justin Ibarra 2021-04-14 21:16:09 -08:00
  • dbd2874b4f [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files (#1026) Justin Ibarra 2021-04-14 23:24:44 -05:00
  • 9bbb122d20 Update the prebuilt rule link Ross Wolf 2021-04-14 22:02:46 -06:00
  • 8f78afb8e5 [Rule Tuning] Windows Suspicious Script Object Execution (#1081) Samirbous 2021-04-14 23:54:39 +02:00
  • c1fd3b3374 [Rule Tuning] AWS Config Service Tampering (#1108) Brent Murphy 2021-04-14 17:13:27 -04:00
  • 4a46b2f03b Create collection_microsoft_365_new_inbox_rule.toml (#1068) Brent Murphy 2021-04-14 17:06:39 -04:00
  • 7408133f79 [New Rule] Potential Remote Desktop Shadowing Activity (#1101) Samirbous 2021-04-14 22:09:49 +02:00
  • 66dff28498 [Rule Tuning] Public IP Reconnaissance Activity (#1091) dstepanic17 2021-04-14 07:58:00 -07:00
  • c64e700c56 [Rule Tuning] Update Cloud Rule Syntax (#1061) Brent Murphy 2021-04-14 10:49:28 -04:00
  • 00923dcde1 [Rule Tuning] Setuid / Setgid Bit Set via chmod (#1032) Samirbous 2021-04-14 16:41:37 +02:00
  • 2926e98c5d [Rule Tuning] Startup or Run Key Registry Modification (#1086) Samirbous 2021-04-14 16:38:00 +02:00
  • 1354d8059c [New Rule] Network Logon Providers Registry Modification (#1053) Samirbous 2021-04-14 16:31:46 +02:00
  • dc774517bf [New Rule] Persistence via Scheduled Job Creation (#1038) Samirbous 2021-04-14 16:15:54 +02:00
  • 731d2b2a54 [Rule Tuning] Unusual Persistence via Services Registry (#1077) Samirbous 2021-04-14 16:09:46 +02:00
  • 462fab3ff8 Update threshold rule schema to disallow empty field string (#1098) Justin Ibarra 2021-04-14 07:56:38 -05:00
  • dd4bc3e57e [Rule Tuning] Connection to Commonly Abused Web Services (#1079) Samirbous 2021-04-14 00:53:27 +02:00
  • 0fe09aaed5 [New Rule] NullSessionPipe Registry Modification (#1058) Samirbous 2021-04-14 00:50:31 +02:00
  • 0ba469dbe4 [Rule Tuning] Modification of Standard Authentication Module or Confi… (#1056) Samirbous 2021-04-14 00:36:38 +02:00
  • 0669e9be00 [New Rule] Suspicious Startup Shell Folder Modification (#1042) Samirbous 2021-04-14 00:33:54 +02:00
  • f2bc0c685d [Rule Tuning] Suspicious Explorer Child Process (#1035) Samirbous 2021-04-14 00:10:29 +02:00
  • 0cc0e3d31f [New Rule] Persistence via BITS Job Notify Cmdline (#1096) Samirbous 2021-04-13 23:25:30 +02:00
  • af067797c2 Update defense_evasion_unusual_network_connection_via_rundll32.toml (#1109) Brent Murphy 2021-04-13 16:58:30 -04:00
  • 3876ef3a37 Adjust loopback for Cloudtrail (#1103) Bobby Filar 2021-04-13 13:58:13 -04:00
  • a7bb15eaf7 [Rule Tuning] Enumeration of Users or Groups via Built-in Commands (#1046) David French 2021-04-13 11:31:47 -06:00
  • aa61283dfa [Rule Tuning] Local Service Commands (#1044) Brent Murphy 2021-04-13 12:31:45 -04:00
  • 31daa7b36a [Rule Tuning] Keychain Password Retrieval via Command Line (#992) Samirbous 2021-04-13 18:16:43 +02:00
  • b5bd9d2fe1 Bump version for endpoint promotion rules for 7.12.1 (#1082) Justin Ibarra 2021-04-12 08:55:51 -05:00
  • 414d320276 [Rule Tuning] Local Scheduled Task Commands (#1043) Brent Murphy 2021-04-08 14:28:21 -04:00
  • 0095a80014 Network rules for the 7.13 release (#1087) Apoorva Joshi 2021-04-08 09:34:47 -07:00
  • 92313b479a Lock 7.12 rule versions (#1083) Justin Ibarra 2021-04-06 13:48:17 -05:00
  • cb5f9e6a2b [New Rule] Persistence via WMI Standard Registry Provider (#1040) Samirbous 2021-04-06 17:50:02 +02:00
  • 0c70d56dcd [Rule Tuning] Potential Command and Control via Internet Explorer (#1070) Samirbous 2021-04-06 11:17:19 +02:00
  • b12437c88c Remove dead code in the rule loader Ross Wolf 2021-04-05 14:30:26 -06:00
  • 6ed1a39efe Add a RuleCollection object instead of a "loader" module (#1063) Ross Wolf 2021-04-05 14:23:37 -06:00
  • 07be6b701d Change the asset .type field (#1075) Ross Wolf 2021-04-05 10:50:58 -06:00
  • 1e6e49a2cb Change the JSON schema for the security_rule Kibana asset (#1066) Ross Wolf 2021-03-30 13:31:02 -06:00
  • 62503af9d1 lock elasticsearch dependency at 7.9 Justin Ibarra 2021-03-29 10:32:48 -08:00
  • 8ee1b2ffd4 Fix the version lock update code (#1064) Ross Wolf 2021-03-25 14:48:31 -06:00
  • c0af222e7e Move Rule into a dataclass (#1029) Ross Wolf 2021-03-24 10:24:32 -06:00
  • cc6711c240 add reference to DGA and solarwinds blogs in ml_dga.md Justin Ibarra 2021-03-19 10:58:51 -08:00
  • 6963c5a445 Change asset type to security_rule (#1054) Ross Wolf 2021-03-19 08:55:02 -06:00
  • 687c9feba3 [Rule Tuning] Persistence via Login or Logout Hook (#1020) Samirbous 2021-03-19 10:32:51 +01:00
  • 3e1169317f [Rule Tuning] Timestomping using Touch Command (#1006) Samirbous 2021-03-19 10:26:40 +01:00
  • 9cff72bbcb [Rule Tuning] Connection to Commonly Abused Web Services (#1016) Samirbous 2021-03-19 10:23:12 +01:00
  • dd1214627a [Rule Tuning] Modification of Environment Variable via Launchctl (#1010) Samirbous 2021-03-19 10:20:04 +01:00
  • 04f3cd967d [Rule Tuning] Execution from Unusual Directory - Command Line (#1012) Samirbous 2021-03-19 10:16:47 +01:00
  • 511a74ef27 [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities (#1028) Samirbous 2021-03-19 10:05:09 +01:00
  • be3c7eaf45 [Rule Tuning] WebProxy Settings Modification (#1008) Samirbous 2021-03-19 10:00:50 +01:00
  • 83dfe911bc [Rule Tuning] Program Files Directory Masquerading (#1018) Samirbous 2021-03-19 09:55:08 +01:00
  • bcc8b6922c [Rule Tuning] Suspicious macOS MS Office Child Process (#1022) Samirbous 2021-03-19 09:48:27 +01:00
  • 8e139012f7 [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream (#1014) Samirbous 2021-03-19 09:45:57 +01:00
  • f800199cc5 [Rule Tuning] Access to Keychain Credentials Directories (#999) Samirbous 2021-03-19 09:42:32 +01:00
  • 04ea1a72c7 [Rule Tuning] Security Software Discovery via Grep (#994) Samirbous 2021-03-18 15:46:26 +01:00
  • 21290cc055 [Rule Tuning] Command Shell Activity Started via RunDLL32 (#996) Samirbous 2021-03-18 15:14:22 +01:00
  • 32714b8527 [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#988) Samirbous 2021-03-18 15:11:42 +01:00
  • bc74838c0b [Rule Tuning] Suspicious WerFault Child Process (#990) Samirbous 2021-03-18 15:08:44 +01:00
  • 0ca39df508 remove labeler action files brokensound77 2021-03-17 19:19:32 -08:00
  • 8e12fe7136 Create labeler.yml Justin Ibarra 2021-03-17 10:40:50 -08:00
  • d4cc4432ce Add tests to ensure rules are properly deprecated (#1050) Justin Ibarra 2021-03-17 00:31:33 -05:00
  • 93f8f2dd94 Change asset type for integration to security-rule (#1048) Ross Wolf 2021-03-16 16:05:30 -06:00
  • 5c2da0b5c4 Move Rule.build to cli_utils.rule_prompt (#1024) Ross Wolf 2021-03-09 16:37:53 -07:00
  • fc9dfde2c4 Generate an integrations package from a release (#983) Justin Ibarra 2021-03-09 13:30:12 -09:00
  • 2fe48e3225 Merge pull request #1004 from brokensound77/merge-7.12-to-main Justin Ibarra 2021-03-08 20:31:41 -09:00
  • 4b5d2542cf Merge remote-tracking branch 'upstream/main' into merge-7.12-to-main brokensound77 2021-03-08 14:41:21 -09:00
  • 0b65678d8c [Rule tuning] Correct tags with associated threat mappings (#1003) Justin Ibarra 2021-03-08 14:12:29 -09:00
  • 309edf7f4a Create initial_access_suspicious_ms_exchange_worker_child_process.toml (#1001) Brent Murphy 2021-03-08 16:45:27 -05:00
  • 0e0b2ea1a4 Update schema for threshold rule type for 7.12 (#976) Justin Ibarra 2021-03-05 14:35:50 -09:00
  • 0ef7d87b34 [Rule Tuning] Fix inconsistent rule indexes (#974) Justin Ibarra 2021-03-05 11:16:02 -09:00
  • 3b7eedcc31 wrap azure operation name (#981) Brent Murphy 2021-03-04 17:50:19 -05:00
  • 4d3ef43b01 [Rule Tuning] Update "Endpoint Security" to "Elastic Endgame" for the relevant Endgame promotion rules (#978) Brent Murphy 2021-03-04 17:21:17 -05:00
  • 4494b02e01 [New Rule] Microsoft Exchange Server’s Unified Messaging Spawning Vulnerability - CVE-2021-26857 (#979) Andrew Pease 2021-03-04 15:46:49 -06:00
  • 13a6036fcc [New Rule] HAFNIUM MS Exchange UM Service Writing - CVE-2021-26858 (#980) Andrew Pease 2021-03-04 15:40:21 -06:00
  • 3fc34b86f2 Update License to Elastic v2 (#944) Justin Ibarra 2021-03-03 22:12:11 -09:00
  • 8c4df09542 [New Rule] Installer Spawning cURL from macOS Package (#960) Andrew Pease 2021-02-26 09:46:01 -06:00
  • 3d4aee263f Update issue templates (#956) Justin Ibarra 2021-02-23 11:16:03 -09:00
  • 7b9ae51bcf Bump EQL dependency to 0.9.9 Ross Wolf 2021-02-22 11:49:31 -07:00
  • b04218ec21 [CLI] Add repo option to kibana-diff command (#952) Justin Ibarra 2021-02-17 23:49:40 -09:00
  • 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) Justin Ibarra 2021-02-17 19:49:58 -09:00
  • 134b310fdd Merge pull request #950 from brokensound77/merge-7.11-to-7.12 Justin Ibarra 2021-02-17 14:26:54 -09:00
  • 2e0bb6c617 remove deprecated rule again brokensound77 2021-02-17 14:15:21 -09:00
  • a77bd6178f Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12 brokensound77 2021-02-17 14:11:50 -09:00
  • 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) Justin Ibarra 2021-02-17 13:48:57 -09:00