security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e1c8f677cc89232ee659d25583b1d4f60d94669
sigma-rules/rules
T
History
Mika Ayenson, PhD 4e1c8f677c [Tuning] Add mv_expand for gen_ai.policy.action field (#5296) 
Resolves #5202
Resolves #5203
Resolves #5204

The gen_ai.policy.action field is an array, so an additional mv_expand
is necessary for the rules to work correctly with AWS Bedrock integration
events that contain multiple policy actions.

Updated rules:
- Unusual High Word Policy Blocks Detected
- Unusual High Denied Topic Blocks Detected
- Unusual High Denied Sensitive Information Policy Blocks Detected
- Unusual High Confidence Content Filter Blocks Detected
- AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2025-11-11 07:37:40 +05:30
..
_deprecated
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
Ignore agentless executions in agent_id_status events. (#5295)
2025-11-10 22:18:51 +05:30
integrations
[Tuning] Add mv_expand for gen_ai.policy.action field (#5296)
2025-11-11 07:37:40 +05:30
linux
[Rule Tuning] File Transfer or Listener Established via Netcat (#5223)
2025-11-10 16:11:16 +01:00
macos
Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008)
2025-08-26 13:03:59 +01:00
ml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
network
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
promotions
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
[Tuning] Potential Ransomware Behavior - Note Files by System (#5235)
2025-11-10 18:22:37 +00:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink