security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63f76cf004dec3f3d7f716d50a98d8981871f33e
sigma-rules/rules
T
History
Terrance DeJesus 63f76cf004 [Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client (#5681) 
* [Rule Tuning] Transform Dormant SharePoint Rule to Detect OAuth Phishing
Fixes #5680

* adjusted query format for unit test; added additional domain tag for storage

* Apply suggestion from @terrancedejesus

* Fix formatting in non-ecs-schema.json

* adjusted description

* re-order mappings
2026-02-19 10:09:15 -05:00
..
_deprecated
[Rule Tuning] Dormant & Deprecated Rule Clean-Up (#5672)
2026-02-05 13:24:21 +01:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
[Tuning] High Order Rules fine tuning (#5728)
2026-02-18 23:31:56 +00:00
integrations
[Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client (#5681)
2026-02-19 10:09:15 -05:00
linux
[Rule Tuning] System Information Discovery via dmidecode from Parent Shell (#5732)
2026-02-17 17:49:56 +01:00
macos
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
ml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
network
[New Rule] Fortigate (FG-IR-26-060) Detections (#5641)
2026-01-30 10:16:34 -05:00
promotions
[New] Multiple Vulnerabilities by Asset via Wiz (#5598)
2026-01-26 17:26:17 +00:00
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
[New] Potential Notepad Markdown RCE Exploitation (#5729)
2026-02-18 16:19:56 +00:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink