security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b26cd21b749707e972fcf67a47132ec6ef430ad
sigma-rules/rules
T
History
Isai 9b26cd21b7 [Deprecation] AWS Redshift Cluster Creation (#5367) 
`CreateCluster` is a common Redshift lifecycle operation that occurs frequently in normal workflows. Creating a new Redshift cluster offers no real advantage to an attacker and outside of cost, does not produce material impact for a target environment. This behavior aligns more with cloud infrastructure monitoring or posture management, which is important but not the focus of our detection ruleset.

Real world Redshift abuse centers on misuse of existing resources, such as snapshot sharing or copying or exposing the cluster through permissive VPC security group changes. These threat paths should be covered by other rules. Deprecating this creation-focused rule reduces noise and keeps the AWS ruleset aligned with real threat surfaces rather than infrastructure management.
2025-12-03 13:02:19 -05:00
..
_deprecated
[Deprecation] Deprecated - AWS Root Login Without MFA (#5351)
2025-11-24 10:01:40 -05:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
integrations
[Deprecation] AWS Redshift Cluster Creation (#5367)
2025-12-03 13:02:19 -05:00
linux
[New Rule] Unusual Web Server Command Execution (#5392)
2025-12-03 16:29:08 +01:00
macos
Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008)
2025-08-26 13:03:59 +01:00
ml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
network
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
promotions
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
[Rule Tuning] Potential PowerShell Obfuscated Script (#5389)
2025-12-02 08:30:54 -08:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink