security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Commit Graph

  • 76c73f84f6 [Rule Tuning] Windows High Severity - 4 (#5095) Jonhnathan 2025-09-15 09:18:55 -07:00
  • 8d9822e8be [Rule Tuning] Fix process.pe.original_file_name Conditions (#5101) Jonhnathan 2025-09-15 09:06:23 -07:00
  • d69ede2508 [Rule Tuning] Windows High Severity - 3 (#5094) Jonhnathan 2025-09-15 08:34:43 -07:00
  • 567b82cb2f [Rule Tuning] Windows High Severity - 2 (#5093) Jonhnathan 2025-09-15 07:53:31 -07:00
  • 7910f465cc [Rule Tuning] Windows High Severity - 1 (#5092) Jonhnathan 2025-09-15 07:44:20 -07:00
  • 39b6f19eb9 Pin dependencies (#5086) dev-v1.4.1 elastic-renovate-prod[bot] 2025-09-12 22:46:24 +05:30
  • 1dedea798a [Rule Tuning] Component Object Model Hijacking (#5065) Jonhnathan 2025-09-11 17:18:05 -07:00
  • aa97487b20 [Rule Tuning] PowerShell Rules (#5056) Jonhnathan 2025-09-11 16:54:11 -07:00
  • b5d77951b5 [Rule Tuning] Remote Execution via File Shares (#5066) Jonhnathan 2025-09-11 16:40:59 -07:00
  • 90ee151bf0 [Tuning] AWS Access Token Used from Multiple Addresses (#5055) Isai 2025-09-11 17:43:12 -04:00
  • 88d9811361 [Rule Tunings] AWS SNS new Terms rules (#5082) Isai 2025-09-11 17:25:04 -04:00
  • fcc82fa49c [Tuning] AWS S3 Unauthenticated Bucket Access by Rare Source (#5075) Isai 2025-09-11 17:13:41 -04:00
  • 6f725b1ed0 [Rule Tunings] AWS DynamoDB new terms Rules (#5074) Isai 2025-09-11 16:59:39 -04:00
  • 1f044117b7 [Rule Tuning] AWS EC2 Instance Connect SSH Public Key Uploaded (#5069) Isai 2025-09-11 16:37:39 -04:00
  • 02fcd43dbd [Rule Tuning] Potential Okta MFA Bombing via Push Notifications (#5073) Terrance DeJesus 2025-09-11 16:24:09 -04:00
  • 7ff2648cfd [Rule Tuning] SSM Session Started to EC2 Instance (#5068) Isai 2025-09-11 15:54:31 -04:00
  • 76e083ced0 [Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted (#5064) Isai 2025-09-11 15:35:16 -04:00
  • e22f60f44c [Tuning] AWS IAM Create User via Assumed Role on EC2 Instance (#5063) Isai 2025-09-11 15:11:40 -04:00
  • e60c345656 Bootstrap repository (#5085) elastic-backstage-prod[bot] 2025-09-11 13:24:59 -05:00
  • f0f7d217c0 [FR] Refactor Schema Validation & Support Multi-Dataset Sequence Validation (#5059) dev-v1.4.0 Mika Ayenson, PhD 2025-09-10 13:11:04 -05:00
  • 25539fd6c6 Delete Development Rules (#5084) shashank-elastic 2025-09-10 23:24:28 +05:30
  • 6adee51410 Fix Ruff failures (#5083) dev-v1.3.33 shashank-elastic 2025-09-10 22:24:07 +05:30
  • 822f649715 Fix updated_date for tunings as part of #5079 (#5081) shashank-elastic 2025-09-10 22:05:36 +05:30
  • a6dfd2c0e1 Add test_min_stack_version_supported testcase (#5077) dev-v1.3.32 shashank-elastic 2025-09-10 20:12:36 +05:30
  • c6406e97c2 Tune Rules that have unsupported versions in min_stack_version (#5079) shashank-elastic 2025-09-10 19:43:28 +05:30
  • 392e0253c3 [Rule Tuning] Beats & Endgame Indices (#5072) Mika Ayenson, PhD 2025-09-09 13:19:13 -05:00
  • 35b000b7ab [FR] Add negate DOES NOT MATCH capability to IM rule type (>=9.2) (#5041) dev-v1.3.31 Mika Ayenson, PhD 2025-09-09 10:58:53 -05:00
  • 0f0f16bdee [Rule Tuning] D-Bus Service Created (#5076) Ruben Groenewoud 2025-09-09 15:33:58 +02:00
  • 375082729a [Rule Tuning] Adjust process.code_signature.trusted condition (#5067) Jonhnathan 2025-09-08 08:42:17 -07:00
  • 6ac71050dc [Rule Tuning] Remote File Download via PowerShell (#5062) Jonhnathan 2025-09-08 07:59:53 -07:00
  • 4aa6c4e715 [Rule Tuning] Untrusted Driver Loaded (#5061) Jonhnathan 2025-09-05 06:12:30 -07:00
  • 9ee15a13b0 [Rule Tuning] Connection to Commonly Abused Web Services (#5060) Jonhnathan 2025-09-04 11:58:13 -07:00
  • cbb892b4bc [Bug] Incorrect Integrations Schema Parsing for Nested Fields (#5058) dev-v1.3.30 Eric Forte 2025-09-04 14:12:33 -04:00
  • 3c1de72f6b [FR] Add support for 5 group_by fields in threshold rules (>=9.2) (#5040) dev-v1.3.29 Mika Ayenson, PhD 2025-09-04 09:24:36 -05:00
  • b4db783413 Tune a Tag discrepency in rule (#5053) shashank-elastic 2025-09-02 21:12:06 +05:30
  • 0bbad3bbf8 Update defense_evasion_modify_ownership_os_files.toml (#5051) Samirbous 2025-09-02 16:18:35 +01:00
  • ef7ff52119 [Rule Tuning] Misc. Linux ES|QL Rules (#5050) Ruben Groenewoud 2025-09-02 13:49:22 +02:00
  • f2291e0261 Lock versions for releases: 8.18,8.19,9.0,9.1 (#5049) dev-v1.3.28 github-actions[bot] 2025-09-01 23:19:12 +05:30
  • 8d2ea9220b [New Rules] Potential Relay Attack against a Computer Account (#4826) Jonhnathan 2025-09-01 10:07:37 -07:00
  • 464fb3951e [Tuning] Unusual Network Activity from a Windows System Binary (#5048) Samirbous 2025-09-01 17:47:53 +01:00
  • a31b3a36ad [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 (#5025) Jonhnathan 2025-09-01 09:30:21 -07:00
  • a62ee7a8a2 [New] Active Directory Discovery using AdExplorer (#5047) Samirbous 2025-09-01 16:58:22 +01:00
  • 40794368a7 [New] Connection to Common Large Language Model Endpoints (#5044) Samirbous 2025-09-01 16:47:31 +01:00
  • ba354ceff9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 (#5038) Jonhnathan 2025-09-01 08:25:52 -07:00
  • 93ac471574 Monthly Schema Updates (#5046) dev-v1.3.27 shashank-elastic 2025-09-01 20:42:42 +05:30
  • 61af3e801d [New] Potential System Tampering via File Modification (#5043) Samirbous 2025-09-01 15:52:26 +01:00
  • e1205cb5c5 [New/Tuning] Windows Rules to detect top threats/TTPs 24/25 (#5001) Samirbous 2025-09-01 15:41:51 +01:00
  • b2bc6021f2 [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths (#5037) Jonhnathan 2025-09-01 05:31:12 -07:00
  • dd918b1f80 [Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation (#5039) Jonhnathan 2025-09-01 05:09:31 -07:00
  • d9151c30ae [Rule Tuning] M365 Portal Logins (Impossible & Atypical) (#5031) Terrance DeJesus 2025-08-29 15:41:38 -04:00
  • d2791bf29a [New Rule] Toolshell Exploit Chain Detections (#4928) Terrance DeJesus 2025-08-29 15:17:52 -04:00
  • 4aebb7dfc5 [Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access (#4997) Terrance DeJesus 2025-08-29 14:57:25 -04:00
  • 7e9ef00b79 [New Rule] Threat Intelligence Signal - Microsoft Defender for Office 365 (#4994) Terrance DeJesus 2025-08-29 14:41:34 -04:00
  • 4b9e3887bb [Rule Tuning] Multi-Factor Authentication Disabled for User (#5006) Terrance DeJesus 2025-08-29 13:20:12 -04:00
  • 590cc9cbbd [Tuning] First Occurrence of STS GetFederationToken Request by User (#5007) Isai 2025-08-29 13:08:59 -04:00
  • 4cde57de07 [Tuning] First Time AWS Cloudformation Stack Creation by User (#5036) Isai 2025-08-29 12:36:21 -04:00
  • 79daf3fc68 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028) Jonhnathan 2025-08-28 13:28:14 -07:00
  • ccedd45df1 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 (#5030) Jonhnathan 2025-08-28 13:07:38 -07:00
  • 86dd350579 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 (#5029) Jonhnathan 2025-08-28 12:50:59 -07:00
  • 7eec833ec8 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 (#5027) Jonhnathan 2025-08-28 12:40:03 -07:00
  • 41dd521546 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 (#5026) Jonhnathan 2025-08-28 12:28:49 -07:00
  • 9c08869575 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 (#5024) Jonhnathan 2025-08-28 12:15:25 -07:00
  • be18b4db16 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 (#5023) Jonhnathan 2025-08-28 12:04:55 -07:00
  • 48dfb759cd [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 (#5022) Jonhnathan 2025-08-28 11:51:45 -07:00
  • 1af98a6170 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 (#5021) Jonhnathan 2025-08-28 11:37:15 -07:00
  • b91e73714e [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 (#5020) Jonhnathan 2025-08-28 11:26:09 -07:00
  • 85a0d27b13 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 (#5019) Jonhnathan 2025-08-28 11:05:42 -07:00
  • 0fbf57c1d9 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 (#5018) Jonhnathan 2025-08-28 10:55:21 -07:00
  • 8ab98458fa [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 (#5017) Jonhnathan 2025-08-28 10:40:34 -07:00
  • 00c6e785cb [Rule Tuning] Windows - Small Adjusts for Compatibility (#5032) Jonhnathan 2025-08-28 10:20:13 -07:00
  • 9c2ceb2bd7 [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 (#5016) Jonhnathan 2025-08-28 06:43:09 -07:00
  • fbfc696a86 Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008) Samirbous 2025-08-26 13:03:59 +01:00
  • bfb29ecf37 [Rule Tuning] First Time Seen AWS Secret Value Accessed in Secrets Manager (#4992) Isai 2025-08-25 12:00:47 -04:00
  • df179f0ab1 [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4995) Isai 2025-08-25 11:44:58 -04:00
  • a4a5b171c4 [New Rule] Multi-Base64 Decoding Attempt from Suspicious Location (#4931) Ruben Groenewoud 2025-08-25 10:31:25 +02:00
  • c151d69d36 [Rule Tuning] AWS STS AssumeRole with New MFA Device (#4999) Isai 2025-08-22 14:48:39 -04:00
  • ee70674e2c Add all rule types DaC testing (#4969) dev-v1.3.26 shashank-elastic 2025-08-20 19:04:57 +05:30
  • dde448ee6b [Bug] Rule Toml Write Formatting Wrongly Formats \\\\x (#4978) dev-v1.3.25 Eric Forte 2025-08-18 17:03:51 -04:00
  • fb76ec1b2d Lock versions for releases: 8.18,8.19,9.0,9.1 (#4991) dev-v1.3.24 aug_2025_updates github-actions[bot] 2025-08-18 22:36:37 +05:30
  • 9dfc42aa1d [Tuning] Connection to Commonly Abused Web Services - alerts JetBrains to GH (#4973) Samirbous 2025-08-18 17:21:04 +01:00
  • 58f62fd138 [Rule Tuning] Suspicious Windows Powershell Arguments (#4961) Jonhnathan 2025-08-18 09:02:04 -07:00
  • 0507bcd150 [Rule Tuning] ES|QL PowerShell Rules (#4984) Jonhnathan 2025-08-18 08:44:18 -07:00
  • 273650d746 [Rule Tuning] Potential RemoteMonologue Attack (#4967) Jonhnathan 2025-08-18 08:22:53 -07:00
  • c28b6d84b5 Investigation guides Update (#4990) shashank-elastic 2025-08-18 20:36:46 +05:30
  • 1557eae9d4 [New] Command Line Obfuscation via Whitespace Padding (#4860) Samirbous 2025-08-18 15:26:52 +01:00
  • 5f7b821e12 [Rule Tuning] Suspicious PrintSpooler Service Executable File Creation (#4976) Jonhnathan 2025-08-18 06:29:28 -07:00
  • 36b33e2c13 Update persistence_services_registry.toml (#4989) Samirbous 2025-08-18 14:05:25 +01:00
  • b7de4f5126 [Tuning] SDH - Investigating MFA Deactivation with no Re-Activation for Okta User Account (#4986) Isai 2025-08-15 18:02:15 -04:00
  • c8ee4c8ce3 [New Rule] Potential Web Shell ASPX File Creation (#4939) Jonhnathan 2025-08-15 12:09:06 -03:00
  • 532b68cc93 [Rule Tuning] PowerShell Script Block Logging Disabled (#4980) Jonhnathan 2025-08-14 17:29:45 -03:00
  • e3a7ee94fc [Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access (#4954) Terrance DeJesus 2025-08-13 17:41:58 -04:00
  • 8f441a7191 [Rule Tuning] Creation or Modification of Root Certificate (#4970) Jonhnathan 2025-08-13 09:41:57 -03:00
  • 1dd1bb8f1e [Rule Tuning] Fixes FPs related to a process.args_count bug (#4971) Jonhnathan 2025-08-13 08:46:46 -03:00
  • 154283f457 Lock versions for releases: 8.18,8.19,9.0,9.1 (#4963) dev-v1.3.23 github-actions[bot] 2025-08-06 08:58:16 +05:30
  • b28338c680 [Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912) Terrance DeJesus 2025-08-05 19:35:41 -04:00
  • 215cdf0f8f [Rule Tuning] Elastic Security External Alerts (#4962) Mika Ayenson, PhD 2025-08-05 15:48:10 -05:00
  • a726da5e83 [Bug] [DAC] Custom Rules Filter Discrepancy on Stacks Upgraded to 8.18 (#4945) dev-v1.3.22 Eric Forte 2025-08-05 09:42:25 -04:00
  • c210a88b1f Lock versions for releases: 8.18,8.19,9.0,9.1 (#4960) dev-v1.3.21 github-actions[bot] 2025-08-04 22:37:59 +05:30
  • 80e44d0fb8 [Rule Tuning] AI4DSOC External Promotion Alerts (#4959) Mika Ayenson, PhD 2025-08-04 11:27:00 -05:00
  • 2c2b15368c Update latest integration manifests and schema and investigation guides (#4957) dev-v1.3.20 shashank-elastic 2025-08-04 19:30:01 +05:30