security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a1716bd67349c7bf464303a1b63fbc4dbeac4c62
sigma-rules/rules
T
History
Ruben Groenewoud a1716bd673 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-08-25 14:03:29 +02:00
..
_deprecated
[Rule Tuning] Some Tunings of several 8.9 rules (#2985)
2023-08-03 15:25:33 +02:00
apm
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
cross-platform
[Rule Tuning] Threat Intel Hash Indicator Match (#3031)
2023-08-25 06:21:16 -03:00
integrations
[Bug] Duplicate tag on Okta rule (#3020)
2023-08-21 10:42:47 -04:00
linux
[Rule Tuning] Several rule tunings (#3024)
2023-08-25 14:03:29 +02:00
macos
[BUG] test_all_rule_queries_optimized does not run on rules (#2823)
2023-06-23 10:58:31 -04:00
ml
Adding related integrations to ML rules (#2972)
2023-08-22 14:39:18 -04:00
network
[Bug] Duplicate tag on Okta rule (#3020)
2023-08-21 10:42:47 -04:00
promotions
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
windows
[Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing (#3025)
2023-08-22 13:04:25 -04:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink