security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7b4611713b5745cc1a29e6ea59ee65df7925ffb2
sigma-rules/rules/cross-platform
T
History
Samirbous 2d5d826be7 [New] Multiple External EDR Alerts by Host (#5540) 
* [New] Multiple External EDR Alerts by Host

This rule uses alert data to determine when multiple external EDR alerts involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml

* Update multiple_external_edr_alerts_by_host.toml
2026-01-09 15:51:51 +00:00
..
command_and_control_curl_wget_spawn_via_nodejs_parent.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
command_and_control_genai_process_suspicious_tld_connection.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
command_and_control_genai_process_unusual_domain.toml
[Rule Tuning] GenAI DR Tuning (#5506)
2026-01-09 08:23:03 -06:00
command_and_control_google_drive_malicious_file_download.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
command_and_control_non_standard_ssh_port.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
command_and_control_pan_elastic_defend_c2.toml
[New] PANW Command and Control Correlation (#5331)
2025-11-24 14:01:52 +00:00
command_and_control_socks_fortigate_endpoint.toml
[New] SOCKS Traffic from an Unusual Process (#5324)
2025-11-24 13:18:30 +00:00
command_and_control_suricata_elastic_defend_c2.toml
[New] Suricata and Elastic Defend Network Correlation (#5443)
2025-12-19 09:08:31 +00:00
credential_access_cookies_chromium_browsers_debugging.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_forced_authentication_pipes.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
credential_access_genai_process_sensitive_file_access.toml
[Rule Tuning] GenAI DR Tuning (#5506)
2026-01-09 08:23:03 -06:00
credential_access_gitleaks_execution.toml
[New Rule] Potential Secret Scanning via Gitleaks (#5377)
2025-12-02 09:42:19 +01:00
credential_access_multi_could_secrets_via_api.toml
[New] Multiple Cloud Secrets Accessed by Source Address (#5388)
2025-12-04 18:04:25 +00:00
credential_access_trufflehog_execution.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
defense_evasion_agent_spoofing_mismatched_id.toml
Update defense_evasion_agent_spoofing_mismatched_id.toml (#5312)
2025-11-13 17:26:29 +00:00
defense_evasion_agent_spoofing_multiple_hosts.toml
Update defense_evasion_agent_spoofing_multiple_hosts.toml (#5446)
2025-12-12 17:47:11 +00:00
defense_evasion_deleting_websvr_access_logs.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_deletion_of_bash_command_line_history.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_elastic_agent_service_terminated.toml
[Rule Tuning] Elastic Agent Service Terminated (#5272)
2025-11-12 08:34:34 -03:00
defense_evasion_encoding_rot13_python_script.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_genai_config_modification.toml
[Rule Tuning] GenAI DR Tuning (#5506)
2026-01-09 08:23:03 -06:00
defense_evasion_genai_process_compiling_executables.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
defense_evasion_genai_process_encoding_prior_to_network_activity.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
defense_evasion_masquerading_space_after_filename.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_potential_http_downgrade_attack.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
defense_evasion_processes_with_trailing_spaces.toml
[Rule Tuning] Linux DR BBR Tuning (#5514)
2026-01-07 16:52:40 +01:00
defense_evasion_timestomp_touch.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_whitespace_padding_command_line.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
discovery_security_software_grep.toml
[Rule Tuning] Q2 Linux DR Tuning - CP (#4170)
2024-10-18 16:38:14 +02:00
discovery_virtual_machine_fingerprinting_grep.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_web_server_local_file_inclusion_activity.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
discovery_web_server_remote_file_inclusion_activity.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
execution_aws_ec2_lolbin_via_ssm.toml
[New Rule] AWS EC2 LOLBin Execution via SSM (#5354)
2025-12-05 16:14:33 -05:00
execution_aws_ssm_sendcommand_with_command_parameters.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_git_exploit_cve_2025_48384.toml
[New Rule] Potential Git CVE-2025-48384 Exploitation (#5301)
2025-11-12 15:45:52 +01:00
execution_nodejs_pre_or_post_install_script_execution.toml
[Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403)
2025-12-04 09:07:12 -05:00
execution_pentest_eggshell_remote_admin_tool.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_potential_widespread_malware_infection.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_privileged_container_creation_with_host_reference.toml
[New Rule] Privileged Container Creation with Host Directory Mount (#5373)
2025-12-02 09:33:16 +01:00
execution_register_github_actions_runner.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
execution_revershell_via_shell_cmd.toml
[Docs | Rule Tuning] Add blog references to rules (#4097)
2024-09-25 15:19:20 -05:00
execution_suspicious_java_netcon_childproc.toml
[Rule Tuning] Linux DR Tuning - Part 6 (#4423)
2025-02-03 14:05:26 +01:00
execution_via_github_actions_runner.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml
[New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370)
2025-12-02 10:22:24 +01:00
guided_onboarding_sample_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_hosts_file_modified.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
initial_access_azure_o365_with_network_alert.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_execution_susp_react_serv_child.toml
Update initial_access_execution_susp_react_serv_child.toml (#5503)
2026-01-01 15:27:33 -03:00
initial_access_exfiltration_new_usb_device_mounted.toml
[New] New USB Storage Device Mounted (#5299)
2025-11-11 09:28:54 +00:00
initial_access_file_upload_followed_by_get_request.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
initial_access_zoom_meeting_with_no_passcode.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
multiple_alerts_by_host_ip_and_source_ip.toml
[New] Suspected Lateral Movement from Compromised Host (#5521)
2026-01-07 16:23:16 +00:00
multiple_alerts_different_tactics_host.toml
Update multiple_alerts_different_tactics_host.toml (#4854)
2025-06-27 09:53:42 -03:00
multiple_alerts_edr_elastic_defend_by_host.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
multiple_alerts_edr_elastic_same_process_tree.toml
[New] Multiple Elastic Defend Alerts from Single Process Tree (#5522)
2026-01-02 15:13:25 +00:00
multiple_alerts_elastic_defend_netsecurity_by_host.toml
[Tuning] Elastic Defend and Network Security Alerts Correlation (#5518)
2026-01-02 14:40:06 +00:00
multiple_alerts_email_elastic_defend_correlation.toml
[Tuning] Elastic Defend and Email Alerts Correlation (#5459)
2025-12-15 15:33:10 +00:00
multiple_alerts_from_different_modules_by_dstip.toml
[New] Alerts From Multiple Integrations by Entity (#5460)
2025-12-18 18:04:58 +00:00
multiple_alerts_from_different_modules_by_srcip.toml
[New] Alerts From Multiple Integrations by Entity (#5460)
2025-12-18 18:04:58 +00:00
multiple_alerts_from_different_modules_by_user.toml
[New] Alerts From Multiple Integrations by Entity (#5460)
2025-12-18 18:04:58 +00:00
multiple_alerts_involving_user.toml
[Rule Tuning] Multiple Alerts Involving a User (#5498)
2025-12-19 12:57:25 -03:00
multiple_alerts_risky_host_esql.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
multiple_external_edr_alerts_by_host.toml
[New] Multiple External EDR Alerts by Host (#5540)
2026-01-09 15:51:51 +00:00
newly_observed_elastic_defend_alert.toml
[New] First Time Seen Elastic Defend Behavior Alert (#5528)
2026-01-09 10:34:32 +00:00
newly_observed_elastic_detection_rule.toml
[New] First Time Seen Elastic Defend Behavior Alert (#5528)
2026-01-09 10:34:32 +00:00
persistence_credential_access_modify_auth_module_or_config.toml
[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#5421)
2025-12-08 18:54:23 +05:30
persistence_shell_profile_modification.toml
[Tuning] Diverse Rules Tuning (#5482)
2025-12-18 15:30:12 +00:00
persistence_ssh_authorized_keys_modification.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
persistence_web_server_potential_command_injection.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
privilege_escalation_echo_nopasswd_sudoers.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
privilege_escalation_sudo_buffer_overflow.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sudoers_file_mod.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
privilege_escalation_trap_execution.toml
[Rule Tuning] Linux DR BBR Tuning (#5514)
2026-01-07 16:52:40 +01:00
reconnaissance_web_server_discovery_or_fuzzing_activity.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
reconnaissance_web_server_unusual_spike_in_error_logs.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
reconnaissance_web_server_unusual_user_agents.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00