security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
133a0799cdf95a3f80fa934cc4a8ed11bc9c0a7c
sigma-rules/rules
T
History
Isai 133a0799cd [Rule Tuning] AWS IAM Assume Role Policy Update (#4799) 
* [Rule Tuning] AWS IAM Assume Role Policy Update

- changed time window to have only 1 minute lookback
- changed the new terms field to look at combination of cloud.account.id, user.name, and roleName. This is to account for the problem with using user_identity.arn for AssumedRoles. Roles are identities in AWS that are granted a set of permissions and can then be assumed by various users across many different sessions. Each of these sessions is designated a session name which is attached to the `user_identity.arn`. This means that each time a Role is assumed, there is a unique user_identity.arn created. This rule is meant to capture unique instances of the Role itself which is captured separate from the individual session names in the `user.name` field. `cloud.account.id` has been added to the new_terms fields to account for organizations with multiple AWS account ids, which may reuse certain user.names across accounts.

This may improve performance especially in environments where there are many users assuming the same role and updating it's trust policy as a part of normal operations.

* remove markdown from description
2025-06-17 15:03:55 -04:00
..
_deprecated
Deprecate Cloud Defend Rules (#4537)
2025-03-14 21:27:37 +05:30
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
Update initial_access_azure_o365_with_network_alert.toml (#4723)
2025-05-19 20:54:19 +05:30
integrations
[Rule Tuning] AWS IAM Assume Role Policy Update (#4799)
2025-06-17 15:03:55 -04:00
linux
[New Rule] Kubeconfig File Creation or Modification (#4810)
2025-06-17 15:01:07 +02:00
macos
[Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547)
2025-04-22 21:23:01 +05:30
ml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
network
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
promotions
Update Max signals value to supported limits (#4556)
2025-03-27 09:02:25 +05:30
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
[Rule Tuning] PowerShell ES|QL Rules Tuning (#4785)
2025-06-17 10:36:51 -03:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink