security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2bb9fdb7243d5a5f61cd4f758483a7efa0fba3aa
sigma-rules/rules/ml
T
History
dstepanic17 c864538606 [rule-tuning] Adding more context with triage/investigation (#1481) 
* [rule-tuning] Adding more context with triage/investigation

* Adding mimikatz rule

* Fixed updated date on mimikatz rule

* Adding Defender update

* Adding scheduled task

* Adding AdFind

* Adding rare process

* Adding cloudtrail country

* Adding cloudtrail spike

* Adding threat intel

* Fixed minor spelling/syntax

* Fixed minor spelling/syntax p2

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/ml/ml_rare_process_by_host_windows.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Removed MITRE link, added Microsoft

* Update ml_cloudtrail_error_message_spike.toml

* Update ml_cloudtrail_rare_method_by_country.toml

* Update ml_rare_process_by_host_windows.toml

* Update credential_access_mimikatz_powershell_module.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update discovery_adfind_command_activity.toml

* Update lateral_movement_dns_server_overflow.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9ff3873ee7)
2021-09-16 01:08:23 +00:00
..
ml_auth_rare_hour_for_a_user_to_logon.toml
Add min_stack_version to 7.14+ only rules (#1321)
2021-07-06 13:42:09 -06:00
ml_auth_rare_source_ip_for_a_user.toml
Add min_stack_version to 7.14+ only rules (#1321)
2021-07-06 13:42:09 -06:00
ml_auth_rare_user_logon.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_auth_spike_in_failed_logon_events.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_auth_spike_in_logon_events_from_a_source_ip.toml
[Rule tuning] Fix typo in ML rule descriptions (#1484)
2021-09-14 16:37:55 +00:00
ml_auth_spike_in_logon_events.toml
Add min_stack_version to 7.14+ only rules (#1321)
2021-07-06 13:42:09 -06:00
ml_high_count_network_denies.toml
Fix rules which were note using v2 license (#1291)
2021-06-16 08:21:30 -06:00
ml_high_count_network_events.toml
Fix typos discovered by codespell (#1430)
2021-08-15 04:30:11 +00:00
ml_linux_anomalous_compiler_activity.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_linux_anomalous_kernel_module_arguments.toml
[Rule tuning] Fix spacing in reference URLs (#1455)
2021-09-01 00:00:06 +00:00
ml_linux_anomalous_metadata_process.toml
Updating rules to query v2 (#1254)
2021-06-15 07:20:50 -07:00
ml_linux_anomalous_metadata_user.toml
Updating rules to query v2 (#1254)
2021-06-15 07:20:50 -07:00
ml_linux_anomalous_network_activity.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_linux_anomalous_network_port_activity.toml
Updating rules to query v2 (#1254)
2021-06-15 07:20:50 -07:00
ml_linux_anomalous_network_service.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_linux_anomalous_network_url_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_linux_anomalous_process_all_hosts.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_linux_anomalous_sudo_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_linux_anomalous_user_name.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_linux_system_information_discovery.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_linux_system_network_configuration_discovery.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_linux_system_network_connection_discovery.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_linux_system_process_discovery.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_linux_system_user_discovery.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_packetbeat_dns_tunneling.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_packetbeat_rare_dns_question.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_packetbeat_rare_server_domain.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_packetbeat_rare_urls.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_packetbeat_rare_user_agent.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_rare_destination_country.toml
Fix rules which were note using v2 license (#1291)
2021-06-16 08:21:30 -06:00
ml_rare_process_by_host_linux.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_rare_process_by_host_windows.toml
[rule-tuning] Adding more context with triage/investigation (#1481)
2021-09-16 01:08:23 +00:00
ml_spike_in_traffic_to_a_country.toml
Fix rules which were note using v2 license (#1291)
2021-06-16 08:21:30 -06:00
ml_suspicious_login_activity.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_windows_anomalous_metadata_process.toml
Updating rules to query v2 (#1254)
2021-06-15 07:20:50 -07:00
ml_windows_anomalous_metadata_user.toml
Updating rules to query v2 (#1254)
2021-06-15 07:20:50 -07:00
ml_windows_anomalous_network_activity.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_windows_anomalous_path_activity.toml
Updating rules to query v2 (#1254)
2021-06-15 07:20:50 -07:00
ml_windows_anomalous_process_all_hosts.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_windows_anomalous_process_creation.toml
Updating rules to query v2 (#1254)
2021-06-15 07:20:50 -07:00
ml_windows_anomalous_script.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_windows_anomalous_service.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_windows_anomalous_user_name.toml
[Rule tuning] Revise rule description and other text (#1398)
2021-08-03 21:08:48 +00:00
ml_windows_rare_user_runas_event.toml
Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00
ml_windows_rare_user_type10_remote_login.toml
Cleanup note field in rules (#1194)
2021-05-10 13:40:56 -08:00