security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • ae377c31a0 [Rule Tuning] Remove New Wiz Defend Rule (Add Wiz Defend to External Alerts) (#5422) Terrance DeJesus 2025-12-08 11:54:22 -05:00
  • 58a514340b December Schema Refresh (#5420) dev-v1.5.21 shashank-elastic 2025-12-08 22:07:46 +05:30
  • 8c5231ec4e [Rule Tuning] AWS RDS DB Snapshot Shared with Another Account (#5418) Isai 2025-12-08 11:11:36 -05:00
  • f2d8ab54d7 [Rule Tuning] AWS KMS Customer Managed Key Disabled or Scheduled for Deletion (#5417) Isai 2025-12-08 10:55:03 -05:00
  • f885b3b70d [Rule Tuning] AWS S3 Bucket Replicated to Another Account (#5405) Isai 2025-12-08 10:43:39 -05:00
  • 9793d90193 [Rule Tunings] AWS Multiple API Calls ESQL rules (#5238) Isai 2025-12-08 10:31:09 -05:00
  • 7aacebba02 [Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#5421) Ruben Groenewoud 2025-12-08 14:24:23 +01:00
  • 3bcacdb4ee Update lateral_movement_scheduled_task_target.toml to fix null values (#5228) theusername-sudo 2025-12-08 07:10:20 -06:00
  • e79629ffe4 [New Rule] Wiz Defend Promotion Alerts (#5410) Terrance DeJesus 2025-12-08 07:55:05 -05:00
  • 8ddf8a838e Update defense_evasion_masquerading_as_svchost.toml (#5416) Samirbous 2025-12-08 12:15:40 +00:00
  • bd9b1f222d [Rule Tuning] Suspicious React Server Child Process (#5419) Ruben Groenewoud 2025-12-08 12:50:41 +01:00
  • 0b949910a5 [New Rule] React2Shell Detection (#5408) Terrance DeJesus 2025-12-05 18:37:54 -05:00
  • 896b6a214a [Tuning] Rare Connection to WebDAV Target (#5415) Samirbous 2025-12-05 22:31:01 +00:00
  • cea2f43732 [New Rule] AWS EC2 LOLBin Execution via SSM (#5354) Terrance DeJesus 2025-12-05 16:14:33 -05:00
  • f40a383b7e [New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352) dev-v1.5.20 Mika Ayenson, PhD 2025-12-05 12:26:56 -06:00
  • 97583418f4 [Rule Tuning] AWS STS AssumeRoot by Rare User and Member Account (#5398) Isai 2025-12-05 12:58:01 -05:00
  • b3d7804a00 [Rule Tuning] AWS S3 Object Encryption Using External KMS Key (#5399) Isai 2025-12-05 12:04:23 -05:00
  • 3bfbafe583 [Rule Tuning] AWS Access Token Used from Multiple Addresses (#5412) Isai 2025-12-05 11:48:22 -05:00
  • 72a2b44db1 [Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413) Ruben Groenewoud 2025-12-05 16:42:52 +01:00
  • b8aedcd7aa [Rule Tuning] Update PowerShell ES|QL Rules KEEP Condition (#5391) Jonhnathan 2025-12-05 09:17:02 -03:00
  • f427735610 [Tuning] Suspicious React Child Process (#5414) Samirbous 2025-12-05 11:26:48 +00:00
  • 612928b34c [Rule Tuning] Potential Persistence via File Modification (#5404) Ruben Groenewoud 2025-12-05 10:32:58 +01:00
  • e1166652c4 [New Rule] Web Server Potential Remote File Inclusion Activity (#5394) Ruben Groenewoud 2025-12-05 09:57:56 +01:00
  • 4920e9a60f [New Rule] Web Server Local File Inclusion Activity (#5393) Ruben Groenewoud 2025-12-05 09:47:29 +01:00
  • 36baf8c898 [New] Suspicious React Server Child Process (#5407) Samirbous 2025-12-04 21:32:20 +00:00
  • 166da45561 [New] Multiple Cloud Secrets Accessed by Source Address (#5388) Samirbous 2025-12-04 18:04:25 +00:00
  • efef99befd [New Rule] Potential HTTP Downgrade Attack (#5372) Ruben Groenewoud 2025-12-04 16:23:38 +01:00
  • f42b5143a6 [New Rule] Initial Access via File Upload Followed by GET Request (#5371) Ruben Groenewoud 2025-12-04 16:10:13 +01:00
  • 7a884ebe2b [Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403) Terrance DeJesus 2025-12-04 09:07:12 -05:00
  • f32db7b3ad [New] Suspicious Microsoft Entra ID Concurrent Sign-Ins via DeviceCode (#5396) Samirbous 2025-12-03 19:33:05 +00:00
  • 61c9344677 [Rule Tuning] M365 OneDrive Excessive File Downloads with OAuth Token (#5365) Terrance DeJesus 2025-12-03 14:13:35 -05:00
  • 9b26cd21b7 [Deprecation] AWS Redshift Cluster Creation (#5367) Isai 2025-12-03 13:02:19 -05:00
  • a8dbf2cf16 [FR] Expand CUSTOM_RULES_DIR to support user relative paths (#5390) dev-v1.5.19 Eric Forte 2025-12-03 12:19:29 -05:00
  • 634de61d6d [FR] ES|QL remote validation support newline split indices (#5356) dev-v1.5.18 Eric Forte 2025-12-03 11:50:51 -05:00
  • 0e67a02594 [Rule Tuning] AWS IAM Brute Force of Assume Role Policy (#5282) Isai 2025-12-03 11:31:06 -05:00
  • 4fc6aa9a35 [New Rule] Unusual Web Server Command Execution (#5392) Ruben Groenewoud 2025-12-03 16:29:08 +01:00
  • f098336ff9 [New Rule] Pod or Container Creation with Suspicious Command-Line (#5379) Ruben Groenewoud 2025-12-03 16:14:33 +01:00
  • d3745c21a7 [Rule Tuning] Python Startup Hook Rules (#5400) Ruben Groenewoud 2025-12-03 15:13:26 +01:00
  • f8f4c0476b [Rule Tuning] AWS EFS File System Deleted (#5369) Isai 2025-12-02 18:45:02 -05:00
  • 3ff5f6ba72 [Rule Tunings] AWS RDS Rules (#5366) Isai 2025-12-02 17:35:36 -05:00
  • bc6f9b55f4 [Rule Tuning] Potential PowerShell Obfuscated Script (#5389) Jonhnathan 2025-12-02 13:30:54 -03:00
  • 02979fec68 [New/Tuning] NPM Shai-Hulud coverage (#5368) Samirbous 2025-12-02 10:57:12 +00:00
  • f14a527055 [New Rule] Web Server Potential SQL Injection Request (#5342) Ruben Groenewoud 2025-12-02 10:46:48 +01:00
  • 046d52c902 [New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370) Ruben Groenewoud 2025-12-02 10:22:24 +01:00
  • 4a042d1a22 [Rule Tuning] File Deletion via Shred (#5381) Ruben Groenewoud 2025-12-02 10:13:29 +01:00
  • a6569a824f [Rule Tuning] At Job Created or Modified (#5378) Ruben Groenewoud 2025-12-02 09:55:41 +01:00
  • e8ecba7d00 [New Rule] Potential Secret Scanning via Gitleaks (#5377) Ruben Groenewoud 2025-12-02 09:42:19 +01:00
  • 2abd3de795 [New Rule] Privileged Container Creation with Host Directory Mount (#5373) Ruben Groenewoud 2025-12-02 09:33:16 +01:00
  • e19ce18a40 [Rule Tunings] Misc. Web Server Rules (#5384) Ruben Groenewoud 2025-12-02 09:21:16 +01:00
  • 7595709a25 add mitre attack rules for ML job rules, bump dates (#5333) Gus Carlock 2025-12-01 15:48:59 -06:00
  • 6915e3956f [Rule Tuning] Persistence via a Windows Installer (#5386) Jonhnathan 2025-12-01 12:54:23 -03:00
  • aaf3c93377 [Rule Tuning] Potential System Tampering via File Modification (#5385) Jonhnathan 2025-12-01 12:45:03 -03:00
  • 85a9c7180d [Rule Tuning] Windows Misc Tuning (#5382) Jonhnathan 2025-12-01 12:28:25 -03:00
  • bcd1b5049a Update multiple_alerts_elastic_defend_netsecurity_by_host.toml (#5375) Samirbous 2025-12-01 15:18:19 +00:00
  • 5e1ac4f450 [Tuning] Powershell Atomics test gaps for T1059.001 (#5380) Samirbous 2025-12-01 15:06:48 +00:00
  • 20d86c8b47 [Rule Tuning] Host File System Changes via Windows Subsystem for Linux (#5383) Jonhnathan 2025-12-01 10:06:38 -03:00
  • c3d09165c4 [Tuning] Suspicious Kerberos Authentication Ticket Request (#5364) Samirbous 2025-11-26 18:45:30 +00:00
  • 03ce151b82 Add rules for Azure Activity Logs/GCP Audit ML jobs (#5191) Gus Carlock 2025-11-26 12:15:23 -06:00
  • d10dc0809f [Rule Tuning] Credential Access via TruffleHog Execution (#5362) Ruben Groenewoud 2025-11-25 12:18:42 +01:00
  • 18d249aae6 Lock versions for releases: 8.19,9.0,9.1,9.2 (#5360) dev-v1.5.17 github-actions[bot] 2025-11-25 02:26:54 +05:30
  • d510d32730 [New Rule] Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation (#5345) Terrance DeJesus 2025-11-24 15:08:39 -05:00
  • 5386345ca7 Add Investigation Guides for Rules (#5357) shashank-elastic 2025-11-25 01:08:15 +05:30
  • 22a94c6e0b [New Rule] Okta Multiple OS Names Detected for a Single DT Hash (#5241) Terrance DeJesus 2025-11-24 14:27:08 -05:00
  • e8d74260f2 [Rule Tuning] Microsoft Entra ID Exccessive Account Lockouts (#5315) Terrance DeJesus 2025-11-24 14:16:08 -05:00
  • 13738b5d17 Tune rule indices (#5359) Eric Forte 2025-11-24 14:03:50 -05:00
  • 94ff4b0e3e [New Rule] Web Server Potential Command Injection Request (#5341) Ruben Groenewoud 2025-11-24 19:41:28 +01:00
  • b0cc0cbe13 [New Rule] Web Server Suspicious User Agent Request Spike (#5340) Ruben Groenewoud 2025-11-24 19:30:22 +01:00
  • 4f8c967185 [New Rule] Web Server Unusual Spike in Error Logs (#5339) Ruben Groenewoud 2025-11-24 19:18:23 +01:00
  • 296049e1ff [New Rule] Web Server Unusual Spike in Error Response Codes (#5338) Ruben Groenewoud 2025-11-24 19:08:25 +01:00
  • 167def0bc1 [New Rule] Web Server Discovery or Fuzzing Activity (#5337) dev-v1.5.16 Ruben Groenewoud 2025-11-24 18:40:12 +01:00
  • fda139f4bf [New] Alerts in Different ATT&CK Tactics by Host (#5343) Samirbous 2025-11-24 17:16:09 +00:00
  • 01c74e7e26 [New] Elastic Defend and Email Alerts Correlation (#5336) Samirbous 2025-11-24 16:56:00 +00:00
  • d946bb36b7 [New] Elastic Defend and Network Security Alerts Correlation (#5332) dev-v1.5.15 Samirbous 2025-11-24 16:45:15 +00:00
  • 52a17d8751 [Rule Tunings] AWS IAM Roles Anywhere Rules (#5307) Isai 2025-11-24 11:09:53 -05:00
  • 5188f22c7f [Rule Tuning] AWS GuardDuty Detector Deletion (#5309) Isai 2025-11-24 10:58:00 -05:00
  • 534d302758 [Rule Tunings] AWS CloudWatch Deletion Rules (#5316) Isai 2025-11-24 10:49:17 -05:00
  • 7b2c02f69b [Rule Tuning] Rapid Secret Retrieval Attempts from AWS SecretsManager (#5291) Isai 2025-11-24 10:37:07 -05:00
  • 5bea1b33ab [Rule Tuning] AWS IAM API Calls via Temporary Session Tokens (#5310) Isai 2025-11-24 10:27:22 -05:00
  • d6ed1cd811 [Rule Deprecations] AWS RDS Lifecycle Rules and Outdated APIs (#5350) Isai 2025-11-24 10:14:48 -05:00
  • 497642d528 [Deprecation] Deprecated - AWS Root Login Without MFA (#5351) Isai 2025-11-24 10:01:40 -05:00
  • 726b3c47ce [New Rule] Proxy Shell Execution via Busybox (#5348) Ruben Groenewoud 2025-11-24 15:51:39 +01:00
  • 7fc895ee38 [New Rule] Curl or Wget Egress Network Connection via LoLBin (#5347) Ruben Groenewoud 2025-11-24 15:38:38 +01:00
  • 8577bf47b7 [New] PANW Command and Control Correlation (#5331) Samirbous 2025-11-24 14:01:52 +00:00
  • 7fe3831078 [New] SOCKS Traffic from an Unusual Process (#5324) dev-v1.5.14 Samirbous 2025-11-24 13:18:30 +00:00
  • b16f22f60c [Tuning] Agent Spoofing - Multiple Hosts Using Same Agent (#5313) Samirbous 2025-11-24 12:59:49 +00:00
  • ba44f43295 [Deprecation] AWS Elasticache Security Group Rules (#5334) Isai 2025-11-20 10:56:13 -05:00
  • f0e9281854 [New] Potential Masquerading as Svchost (#5305) Samirbous 2025-11-19 12:10:11 +00:00
  • fe642a879a [Rule Tuning] Remote File Creation in World Writeable Directory (#5304) Ruben Groenewoud 2025-11-18 09:24:03 +01:00
  • 37f28be816 [Rule Tuning] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#5281) Isai 2025-11-17 16:25:38 -05:00
  • f2e2590d62 [Rule Tuning] AWS EC2 Instance Console Login via Assumed Role (#5285) Isai 2025-11-17 15:57:05 -05:00
  • 9925a39826 [Rule Tuning] AWS IAM SAML Provider Updated (#5284) Isai 2025-11-17 15:34:08 -05:00
  • 544c1914d4 [Rule Tuning] AWS IAM Virtual MFA Device Rules (#5275) Isai 2025-11-17 15:13:48 -05:00
  • 5db396f084 Skip unit test for protected prebuilt-rules on DAC env (#5323) dev-v1.5.13 shashank-elastic 2025-11-17 21:41:46 +05:30
  • 79607723df Renovate Updates (#5258) dev-v1.5.12 shashank-elastic 2025-11-17 20:22:11 +05:30
  • 64cc823481 [Tuning] Outbound Scheduled Task Activity via PowerShell (#5287) Samirbous 2025-11-17 10:02:50 +00:00
  • 4c984b0ed5 [Rule Tuning] Potential Execution via XZBackdoor (#5318) Ruben Groenewoud 2025-11-17 09:50:33 +01:00
  • 38d38f293e [New Rule] Azure Compute Snapshot Deletion(s) (#5211) Terrance DeJesus 2025-11-15 08:36:03 -05:00
  • a2bf7f088d [Security Content] Windows Setup Guides - WinEventLog & Sysmon (#5162) dev-v1.5.11 Jonhnathan 2025-11-14 14:22:31 -03:00
  • 8b74ba7136 [Rule Tuning] Remove host.os.type Unit Test Exception (#5317) dev-v1.5.10 Jonhnathan 2025-11-14 13:46:24 -03:00
  • 5c1ee125df [Rule Tuning] AWS GetSessionToken Abuse (#5274) Isai 2025-11-14 04:14:13 -05:00