security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
43d3f3b46730495ee6a36c02a69adb9ff4fc5842
sigma-rules/rules
T
History
Colson Wilhoit 43d3f3b467 [New] Endpoint Rule Conversion PR (#5658) 
* update

* [New] Endpoint Rule Conversion PR

* fix: replace invalid rule_ids with valid UUIDs

* fix: remove malformed TOML in docker_outbound_connection rule

* fix: rename Security Software Discovery rule to avoid name collision

* fix: remove rule using unsupported 'as event' alias syntax

* fix: add timestamp_override, investigation guides, and fix MITRE mapping

- Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules
- Added '## Triage and analysis' investigation guides to 19 high-severity rules
- Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions'

* Enhance investigation guides for 19 high-severity macOS SIEM rules

Enhanced investigation guides to align with existing SIEM rule format:
- Added detailed context paragraphs explaining the threat and detection logic
- Expanded investigation steps to 6-7 items with specific field references
- Enhanced false positive analysis with 4-5 items and exclusion guidance
- Added comprehensive response and remediation steps (6-7 items)

Rules enhanced:
- Defense Evasion: dylib_injection, gatekeeper_override, tcc_access
- Persistence: shell_profile, hidden_plist, chromium_extension, startup_item,
  pkg_install_script, launch_agent_daemon
- Execution: unusual_library_python
- Lateral Movement: jamf_endpoint
- Command and Control: google_calendar_c2, oast_domain, etherhiding,
  curl_from_app, curl_google_script, unsigned_binary
- Collection: pbpaste, sensitive_file_compression

* Fix investigation guide tests: add Resources tag and fix OAST title

- Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides
- Fixed OAST rule investigation guide title to match rule name exactly:
  'Network Connection to OAST Domain via Script Interpreter'

* Remove duplicate detection_rules 2 folder from PR

* Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule

Changes:
- Convert AWS S3 connection rule to ES|QL with aggregation
- Consolidate Python + Node non-standard port rules into single script interpreter rule
- Fix Gatekeeper rule to use correct gatekeeper_override event
- Simplify Gatekeeper rule to single event per Samir's suggestion
- Convert TCC access rule to ES|QL with COUNT_DISTINCT
- Tune cross-platform security software grep rule (add egrep, pgrep, more tools)
- Add node to system/network config check rule

Deleted duplicates (covered by existing cross-platform rules):
- Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain)
- Security software via grep (tuned cross-platform version instead)
- VM fingerprinting via grep (duplicate of cross-platform version)

* fix: ESQL formatting and wildcard versioning patterns

- Add Esql. prefix to computed fields in ESQL rules
- Add KEEP statements to ESQL rules for proper field visibility
- Add perl* wildcard to OAST domain rule for version consistency
- Add ruby* wildcard to Etherhiding C2 rule for version consistency
- Fix regex pattern in TCC rule (perl.*/ruby.* for versioning)

* fix: remove duplicate Script Interpreter rule

Delete command_and_control_suspicious_outbound_python_network.toml which
is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml
(same rule_id: aa1e007a-2997-4247-b048-dd9344742560)

* fix: add timestamp_override to Pbpaste and Gatekeeper rules

- collection_pbpaste_execution_via_unusual_parent.toml
- defense_evasion_gatekeeper_override_and_execution.toml

EQL/KQL rules require timestamp_override: event.ingested

* fix: remove perl from Script Interpreter rule

Perl is covered by the broader perl_outbound_network_connection rule which
catches perl → any external IP (not just non-standard ports). Perl network
connections on macOS are rare and inherently suspicious regardless of port.

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/command_and_control_aws_s3_connection_via_script.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_manual_chromium_extension_loading.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_startup_item_plist_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix ESQL syntax error in AWS S3 connection rule

Remove trailing comma before BY clause in STATS command that caused a parsing_exception.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-06 10:53:44 -06:00
..
_deprecated
[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672)
2026-02-05 13:24:21 +01:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
integrations
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded (#5657)
2026-02-05 21:34:38 -05:00
linux
[Rule Tuning] Adding D4C Compatibility to Compatible Container-Related Rules (#5685)
2026-02-06 09:38:56 +01:00
macos
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
ml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
network
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
promotions
[New] Multiple Vulnerabilities by Asset via Wiz (#5598)
2026-01-26 17:26:17 +00:00
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672)
2026-02-05 13:24:21 +01:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink