security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6e77f5176d087661765bf57dea423ef47aa6e136
sigma-rules/rules
T
History
Andrew Stucki 6e77f5176d [New Rule] auditd login anomalies (#33) 
* Add auditd login anomaly rules

* Flip logic to start with less-specific filters

* remove event.category from queries and update metadata

* surround event.action with quotes to account for dash

* update tags

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
2021-02-10 14:24:55 -05:00
..
apm
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
aws
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
azure
Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main
2021-01-28 10:41:39 -09:00
cross-platform
[New Rule] Suspicious Python Script Execution via the CommandLine (#852)
2021-02-10 18:37:03 +01:00
gcp
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
google-workspace
[Rule Tuning] Update rules for new Fleet integrations (#729)
2020-12-18 12:23:12 -05:00
linux
[New Rule] auditd login anomalies (#33)
2021-02-10 14:24:55 -05:00
macos
[New Rule] Suspicious Adobe Acrobat Updates Service Child Process (#886)
2021-02-10 14:08:37 +01:00
microsoft-365
Fix spelling of Continuous Monitoring (#795)
2021-01-04 15:05:34 -07:00
ml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
network
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
okta
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
promotions
[Rule Tuning] Add windows integration index to rules (#923)
2021-01-28 20:53:57 -09:00
windows
[Rule Tuning] Suspicious WerFault Child Process (#915)
2021-02-10 14:17:57 -05:00
README.md
Add timeline_id to detection rules (#95)
2020-10-27 13:34:16 -05:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
aws/ Rules written for the Amazon Web Services (AWS) module of filebeat
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
okta/ Rules written for the Okta module of filebeat
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System
Reference in New Issue View Git Blame Copy Permalink