security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
590cc9cbbdee9030c0e4cbb3d56ac6f8aa760dc7
sigma-rules/rules
T
History
Isai 590cc9cbbd [Tuning] First Occurrence of STS GetFederationToken Request by User (#5007) 
Rule is executing as expected, however it is alerting on failed requests. Low alert telemetry.

This tuning:
- removed markdown and edited description to be more specific
- reduced execution window for 1 min lookback
- name change to add `AWS` consistent with all other rules
- added references that reflect in the wild threats and persistence usage
- increased risk_score and severity to medium accounting for usage as persistence mechanism in the wild
- added Persistence tag and Mitre tactic, technique, subtechnique
- added `event.outcome: success` criteria to query
- edited investigation guide to be more accurate reflection of steps required for investigating alert, including appropriate response action
- added highlighted fields
** Note: only IAMUser and Root user identities can call this actions so we can use `aws.cloudtrail.user_identity.arn` as the new terms field without worrying about Role vs Role + Session issue seen with other new_terms rules
2025-08-29 13:08:59 -04:00
..
_deprecated
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
[New] Command Line Obfuscation via Whitespace Padding (#4860)
2025-08-18 15:26:52 +01:00
integrations
[Tuning] First Occurrence of STS GetFederationToken Request by User (#5007)
2025-08-29 13:08:59 -04:00
linux
[New Rule] Multi-Base64 Decoding Attempt from Suspicious Location (#4931)
2025-08-25 10:31:25 +02:00
macos
Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008)
2025-08-26 13:03:59 +01:00
ml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
network
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
promotions
[Rule Tuning] Elastic Security External Alerts (#4962)
2025-08-05 15:48:10 -05:00
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 (#5028)
2025-08-28 13:28:14 -07:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink