security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
632e169f7ad5779a3b6652e9a30c85e02344d09b
sigma-rules/hunting
T
History
Terrance DeJesus 632e169f7a [Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791) 
* add description to hunting schema; change queries to be a list

* update createremotethreat by process hunt

* update dll hijack and masquerading as MSFT library

* remove sysmon specific dDLL hijack via masquerading MSFT library

* updated Masquerading Attempts as Native Windows Binaries

* updates Rare DLL Side-Loading by Occurrence

* updates Rare LSASS Process Access Attempts

* update DNS Queries via LOLBins with Low Occurence Frequency

* updated Low Occurrence of Drivers Loaded on Unique Hosts

* updates Excessive RDP Network Activity by Host and User

* updates Excessive SMB Network Activity by Process ID

* updated Executable File Creation by an Unusual Microsoft Binary

* Frequency of Process Execution and Network Logon by Source Address

* updates Frequency of Process Execution and Network Logon by Source Address

* updated Execution via Remote Services by Client Address

* updated Startup Execution with Low Occurrence Frequency by Unique Host

* updated Low Frequency of Process Execution via WMI by Unique Agent

* updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent

* updated Low Occurence of Process Execution via Windows Services with Unique Agent

* Updated High Count of Network Connection Over Extended Period by Process

* update Libraries Loaded by svchost with Low Occurrence Frequency

* updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent

* updated Network Discovery via Sensitive Ports by Unusual Process

* updated PE File Transfer via SMB_Admin Shares by Agent or User

* updated Persistence via Run Key with Low Occurrence Frequency

* updates Persistence via Startup with Low Occurrence Frequency by Unique Host

* updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source

* updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon"

* updates "Egress Network Connections with Total Bytes Greater than Threshold"

* updates "Rundll32 Execution Aggregated by Command Line"

* updates "Scheduled tasks Creation by Action via Registry"

* updates "Scheduled Tasks Creation for Unique Hosts by Task Command"

* updates "Suspicious Base64 Encoded Powershell Command"

* updates "Suspicious DNS TXT Record Lookups by Process"

* updates "Unique Windows Services Creation by Service File Name"

* Updates "Unique Windows Services Creation by Service File Name"

* updates "Windows Command and Scripting Interpreter from Unusual Parent Process"

* updates "Windows Logon Activity by Source IP"

* updates "Suspicious Network Connections by Unsigned Mach-O"

* updates LLM hunting queries

* re-generated markdown files; updated generate markdown py file

* updated test_hunt_data

* Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* updated missing integrations

* updated MD docs according to recent hunting changes

* Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* added enrichment policy link to rule

* Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/index.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
2024-06-25 09:35:36 -04:00
..
llm
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791)
2024-06-25 09:35:36 -04:00
macos
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791)
2024-06-25 09:35:36 -04:00
windows
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791)
2024-06-25 09:35:36 -04:00
__init__.py
[FR] Add Hunt Structure and Initial LLM Queries 🚀 (#3637)
2024-05-03 09:33:06 -05:00
generate_markdown.py
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791)
2024-06-25 09:35:36 -04:00
index.md
[Hunt Tuning] Add Descriptions, Collapse Queries and Re-Generate Docs (#3791)
2024-06-25 09:35:36 -04:00
README.md
[New hunts] 50 ES|QL Windows Hunt Queries (#3642)
2024-06-12 09:09:09 -07:00

README.md

Hunt Queries

Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack. Each file in this directory provides a query tailored for identifying specific security threats or suspicious activities.

These queries are designed for use with the Elastic Security platform, part of the broader Elastic Stack, enabling security teams to proactively hunt for potential threats in their environment.

  • KQL
  • EQL
  • ES|QL
  • OsQuery
  • YARA

How to Contribute

Contributing to the hunting folder is a great way to share your expertise and enhance the security community's capabilities. Heres how you can contribute:

Names and Related Queries

All query names should be unique and descriptive. If a query's intent is identical or related to another query, consider adding a suffix with the integration(s) to the name to indicate the relationship and distinguish them from each other. Otherwise, the names do not require the integration, since it is already annotated within the integration field.

The filename should reflect the query name.

For example:

  • Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Elastic Defend
  • Detect DLL Hijack via Masquerading as Microsoft Native Libraries - Sysmon

Adding New Queries

  • TOML File Naming and Organization: Ensure that any new queries are named descriptively and grouped by the type of threat they address. Place your TOML files inside the queries folder and ensure they are named in a way that reflects the nature of the threat or behavior they are designed to detect.

  • TOML Fields: To ensure the hunt queries are consistent and comprehensive, it's important to structure the threat detection rules with specific fields. When contributing a new rule, please include the following fields in the TOML file to describe and configure the analytic:

    • author: The name of the individual or organization authoring the rule.
    • integration: The specific integration or data source the rule applies to, such as aws_bedrock.invocation.
    • uuid: A unique identifier for the rule to maintain version control and tracking.
    • name: A descriptive name for the rule that clearly indicates its purpose.
    • language: The query language used in the rule, such as KQL, EQL, ES|QL, OsQuery, or YARA.
    • query: The actual query or analytic expression written in the appropriate query language that executes the detection logic.
    • notes: An array of strings providing detailed insights into the rationale behind the rule, suggestions for further investigation, and tips on distinguishing false positives from true activity.
    • mitre: Reference to applicable MITRE ATT&CK tactics or techniques that the rule addresses, enhancing the contextual understanding of its security implications.
    • references: Links to external documents, research papers, or websites that provide additional information or validation for the detection logic.

  • Documentation (Optional): Include a README.md in each subfolder describing the queries and their purposes. This would include a brief description of the new category.

Field Usage

Use standardized fields where possible to ensure that queries are compatible across different data environments and sources.

Review and Pull Requests

Follow the standard contributing guide. Please remember to use the generate_markdown.py script to update the documentation after adding or updateing queries.

Using the Script to Generate Markdown

The generate_markdown.py script is provided to automate the creation of Markdown files from TOML rule definitions. Heres how to use it:

  • Generating Markdown: Run python generate_markdown.py from the root of the hunting directory. This will generate Markdown files for each TOML file and update the index.md to include links to the new Markdown files.
  • Structure: Rules should be written in TOML and saved under the respective hunt/*/rules/ directory. The script will automatically convert them into Markdown and save them in the docs directory within the respective category folder.

Sample Directory Structure Example

.
├── README.md
├── generate_markdown.py
├── index.md
└── categorical_folder_name
    ├── README.md
    ├── docs
    │   └── generated_markdown.md
    └── rules
        └── hunt_query.toml
Reference in New Issue View Git Blame Copy Permalink