security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1637f2dc79292e13b7d4a24dd43cd7258901b4e8
sigma-rules/rules
T
History
Isai 1637f2dc79 [Rule Tuning] Shadow File Read via Command Line Utilities (#2403) 
* Update privilege_escalation_shadow_file_read.toml

description update, name update, query update, tags update, MITRE update

* Update privilege_escalation_shadow_file_read.toml

edited order of MITRE

* changed file name to match credential_access as primary tactic

changed file name to match credential_access as primary tactic

* excluded common executables, not related to "read", based on telemetry

excluded common executables, not related to "read", based on telemetry

* update cred access reference MITRE

* toml-lint file for final validation

* Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml

revert name back to privilege_escalation...

* Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml

* update update_date

* Changed primary tactic back to privilege_escalation to match rule name 

Changed primary tactic back to privilege_escalation to match rule name
2022-11-21 11:25:39 -05:00
..
_deprecated
[Deprecation] GCP Kubernetes Rolebindings Created or Patched (#2340)
2022-11-09 12:51:52 -05:00
apm
[Rule Deprecation] Web Application Suspicious Activity: No User Agent (#2295)
2022-09-19 10:56:03 -07:00
cross-platform
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2399)
2022-11-18 17:38:27 -03:00
integrations
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)
2022-11-18 12:32:27 -03:00
linux
[Rule Tuning] Shadow File Read via Command Line Utilities (#2403)
2022-11-21 11:25:39 -05:00
macos
Adds commands to manage ATT&CK mappings (#2343)
2022-11-01 13:14:40 -06:00
ml
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)
2022-11-18 12:32:27 -03:00
network
[Rule Tuning] Link Elastic Security Labs content to compatible rules (#2388)
2022-11-07 15:17:49 -05:00
promotions
[Rule Tuning] Adversary Behavior - Detected - Elastic Endgame (#2382)
2022-11-01 11:29:29 -03:00
windows
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag (#2352)
2022-11-18 12:32:27 -03:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink