sigma-rules/rules/cross-platform at 473df70fbb100b773c28da19b4d3267575f5bdec - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Samirbous 74d6fe95c9 [New] Multiple Elastic Defend Alerts from Single Process Tree (#5522 )

* [New] Multiple Elastic Defend Alerts from Single Process Tree

Detects multiple Elastic Defend EDR alerts originating from the same process tree, indicating coordinated malicious activity. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/multiple_alerts_edr_elastic_same_process_tree.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update multiple_alerts_edr_elastic_same_process_tree.toml

* Update multiple_alerts_edr_elastic_same_process_tree.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

2026-01-02 15:13:25 +00:00

..

command_and_control_curl_wget_spawn_via_nodejs_parent.toml

[New/Tuning] NPM Shai-Hulud coverage (#5368 )

2025-12-02 10:57:12 +00:00

command_and_control_genai_process_suspicious_tld_connection.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

command_and_control_genai_process_unusual_domain.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

command_and_control_google_drive_malicious_file_download.toml

[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464 )

2025-02-19 12:54:31 -03:00

command_and_control_non_standard_ssh_port.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

command_and_control_pan_elastic_defend_c2.toml

[New] PANW Command and Control Correlation (#5331 )

2025-11-24 14:01:52 +00:00

command_and_control_socks_fortigate_endpoint.toml

[New] SOCKS Traffic from an Unusual Process (#5324 )

2025-11-24 13:18:30 +00:00

command_and_control_suricata_elastic_defend_c2.toml

[New] Suricata and Elastic Defend Network Correlation (#5443 )

2025-12-19 09:08:31 +00:00

credential_access_cookies_chromium_browsers_debugging.toml

Prep main for 9.1 (#4555 )

2025-03-26 11:04:14 -04:00

credential_access_forced_authentication_pipes.toml

[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464 )

2025-02-19 12:54:31 -03:00

credential_access_genai_process_sensitive_file_access.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

credential_access_gitleaks_execution.toml

[New Rule] Potential Secret Scanning via Gitleaks (#5377 )

2025-12-02 09:42:19 +01:00

credential_access_multi_could_secrets_via_api.toml

[New] Multiple Cloud Secrets Accessed by Source Address (#5388 )

2025-12-04 18:04:25 +00:00

credential_access_trufflehog_execution.toml

[New/Tuning] NPM Shai-Hulud coverage (#5368 )

2025-12-02 10:57:12 +00:00

defense_evasion_agent_spoofing_mismatched_id.toml

Update defense_evasion_agent_spoofing_mismatched_id.toml (#5312 )

2025-11-13 17:26:29 +00:00

defense_evasion_agent_spoofing_multiple_hosts.toml

Update defense_evasion_agent_spoofing_multiple_hosts.toml (#5446 )

2025-12-12 17:47:11 +00:00

defense_evasion_deleting_websvr_access_logs.toml

Prep main for 9.1 (#4555 )

2025-03-26 11:04:14 -04:00

defense_evasion_deletion_of_bash_command_line_history.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

defense_evasion_elastic_agent_service_terminated.toml

[Rule Tuning] Elastic Agent Service Terminated (#5272 )

2025-11-12 08:34:34 -03:00

defense_evasion_encoding_rot13_python_script.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

defense_evasion_genai_config_modification.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

defense_evasion_genai_process_compiling_executables.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

defense_evasion_genai_process_encoding_prior_to_network_activity.toml

[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352 )

2025-12-05 12:26:56 -06:00

defense_evasion_masquerading_space_after_filename.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

defense_evasion_potential_http_downgrade_attack.toml

December Schema Refresh (#5420 )

2025-12-08 22:07:46 +05:30

defense_evasion_timestomp_touch.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

defense_evasion_whitespace_padding_command_line.toml

[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442 )

2025-12-09 17:05:20 -08:00

discovery_security_software_grep.toml

[Rule Tuning] Q2 Linux DR Tuning - CP (#4170 )

2024-10-18 16:38:14 +02:00

discovery_virtual_machine_fingerprinting_grep.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

discovery_web_server_local_file_inclusion_activity.toml

December Schema Refresh (#5420 )

2025-12-08 22:07:46 +05:30

discovery_web_server_remote_file_inclusion_activity.toml

December Schema Refresh (#5420 )

2025-12-08 22:07:46 +05:30

execution_aws_ec2_lolbin_via_ssm.toml

[New Rule] AWS EC2 LOLBin Execution via SSM (#5354 )

2025-12-05 16:14:33 -05:00

execution_aws_ssm_sendcommand_with_command_parameters.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

execution_git_exploit_cve_2025_48384.toml

[New Rule] Potential Git CVE-2025-48384 Exploitation (#5301 )

2025-11-12 15:45:52 +01:00

execution_nodejs_pre_or_post_install_script_execution.toml

[Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403 )

2025-12-04 09:07:12 -05:00

execution_pentest_eggshell_remote_admin_tool.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

execution_potential_widespread_malware_infection.toml

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912 )

2025-08-05 19:35:41 -04:00

execution_privileged_container_creation_with_host_reference.toml

[New Rule] Privileged Container Creation with Host Directory Mount (#5373 )

2025-12-02 09:33:16 +01:00

execution_register_github_actions_runner.toml

[New/Tuning] NPM Shai-Hulud coverage (#5368 )

2025-12-02 10:57:12 +00:00

execution_revershell_via_shell_cmd.toml

[Docs | Rule Tuning] Add blog references to rules (#4097 )

2024-09-25 15:19:20 -05:00

execution_suspicious_java_netcon_childproc.toml

[Rule Tuning] Linux DR Tuning - Part 6 (#4423 )

2025-02-03 14:05:26 +01:00

execution_via_github_actions_runner.toml

[New/Tuning] NPM Shai-Hulud coverage (#5368 )

2025-12-02 10:57:12 +00:00

execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml

[New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370 )

2025-12-02 10:22:24 +01:00

guided_onboarding_sample_rule.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

impact_hosts_file_modified.toml

[Tuning] Top Noisy Rules (#5449 )

2025-12-12 14:28:12 +00:00

initial_access_azure_o365_with_network_alert.toml

[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172 )

2025-12-10 12:59:50 -05:00

initial_access_execution_susp_react_serv_child.toml

Update initial_access_execution_susp_react_serv_child.toml (#5503 )

2026-01-01 15:27:33 -03:00

initial_access_exfiltration_new_usb_device_mounted.toml

[New] New USB Storage Device Mounted (#5299 )

2025-11-11 09:28:54 +00:00

initial_access_file_upload_followed_by_get_request.toml

December Schema Refresh (#5420 )

2025-12-08 22:07:46 +05:30

initial_access_zoom_meeting_with_no_passcode.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

multiple_alerts_different_tactics_host.toml

Update multiple_alerts_different_tactics_host.toml (#4854 )

2025-06-27 09:53:42 -03:00

multiple_alerts_edr_elastic_defend_by_host.toml

[New] Alerts in Different ATT&CK Tactics by Host (#5343 )

2025-11-24 22:46:09 +05:30

multiple_alerts_edr_elastic_same_process_tree.toml

[New] Multiple Elastic Defend Alerts from Single Process Tree (#5522 )

2026-01-02 15:13:25 +00:00

multiple_alerts_elastic_defend_netsecurity_by_host.toml

[Tuning] Elastic Defend and Network Security Alerts Correlation (#5518 )

2026-01-02 14:40:06 +00:00

multiple_alerts_email_elastic_defend_correlation.toml

[Tuning] Elastic Defend and Email Alerts Correlation (#5459 )

2025-12-15 15:33:10 +00:00

multiple_alerts_from_different_modules_by_dstip.toml

[New] Alerts From Multiple Integrations by Entity (#5460 )

2025-12-18 18:04:58 +00:00

multiple_alerts_from_different_modules_by_srcip.toml

[New] Alerts From Multiple Integrations by Entity (#5460 )

2025-12-18 18:04:58 +00:00

multiple_alerts_from_different_modules_by_user.toml

[New] Alerts From Multiple Integrations by Entity (#5460 )

2025-12-18 18:04:58 +00:00

multiple_alerts_involving_user.toml

[Rule Tuning] Multiple Alerts Involving a User (#5498 )

2025-12-19 12:57:25 -03:00

multiple_alerts_risky_host_esql.toml

[New] Alerts in Different ATT&CK Tactics by Host (#5343 )

2025-11-24 22:46:09 +05:30

persistence_credential_access_modify_auth_module_or_config.toml

[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#5421 )

2025-12-08 18:54:23 +05:30

persistence_shell_profile_modification.toml

[Tuning] Diverse Rules Tuning (#5482 )

2025-12-18 15:30:12 +00:00

persistence_ssh_authorized_keys_modification.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

persistence_web_server_potential_command_injection.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00

privilege_escalation_echo_nopasswd_sudoers.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

privilege_escalation_setuid_setgid_bit_set_via_chmod.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

privilege_escalation_sudo_buffer_overflow.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

privilege_escalation_sudoers_file_mod.toml

[Rule Tuning] Sudoers File Modification (#4904 )

2025-07-16 10:17:51 +02:00

reconnaissance_web_server_discovery_or_fuzzing_activity.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00

reconnaissance_web_server_unusual_spike_in_error_logs.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00

reconnaissance_web_server_unusual_spike_in_error_response_codes.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00

reconnaissance_web_server_unusual_user_agents.toml

[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413 )

2025-12-05 16:42:52 +01:00