security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
83e36854f040c5661519361f39e7a0530ba797e0
sigma-rules/rules
T
History
Isai 83e36854f0 [Rule Tunings] AWS Root Access Rules (#5218) 
* [Rule Tunings] AWS Root Password Recovery and Login Profile Created

AWS IAM Password Recovery Requested > AWS Sign-In Root Password Recovery Requested
- Name change to properly indicate the service Sign-In vs IAM which is used for this API call. Also highlights that this is `Root` activity. In AWS, the PasswordRecoveryRequested event from signin.amazonaws.com applies to the root user’s “Forgot your password?” flow. Other identity types, like IAM and federated users, do not generate this event.
- reduced execution window
- updated Investigation Guide
- updated tag
- added highlighted fields

AWS IAM Login Profile Added for Root
- changed rule type from esql to eql
- added index
- reduced execution window
- updated description and investigation guide to clarify emphasis on Root identity scope
- added highlighted fields

* increased severity score

increased severity score since this is related to root

* Update broken link

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2025-10-15 13:58:32 -04:00
..
_deprecated
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
Monthly Schema Updates (#5187)
2025-10-06 21:39:14 +05:30
integrations
[Rule Tunings] AWS Root Access Rules (#5218)
2025-10-15 13:58:32 -04:00
linux
[Tuning] Simple HTTP Web Server Connection (#5209)
2025-10-13 15:01:38 +01:00
macos
Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008)
2025-08-26 13:03:59 +01:00
ml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
network
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
promotions
Tune a Tag discrepency in rule (#5053)
2025-09-02 21:12:06 +05:30
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
[New] Potential Command Shell via NetCat (#5221)
2025-10-15 12:30:09 +01:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink