security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b39cfc34e6f148d973a034ec83530fe775d72811
sigma-rules/rules/cross-platform
T
History
Samirbous b39cfc34e6 [New] First Time Seen Elastic Defend Behavior Alert (#5528) 
* [New] First Time Seen Elastic Defend Behavior Alert

This rule detects Elastic Defend behavior alerts that are observed for the first time today when compared against
the previous 7 days of alert history. It highlights low-volume, newly observed alerts tied to a specific detection rule on a single agent, which may indicate early-stage malicious activity or initial execution of suspicious behavior :

* Update first_time_seen_elastic_defend_alert.toml

* ++

* Update first_time_seen_elastic_defend_alert.toml

* ++

* Update fist_time_seen_elastic_detection_rule.toml

* Update fist_time_seen_elastic_detection_rule.toml

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* Update fist_time_seen_elastic_detection_rule.toml

* Update first_time_seen_elastic_defend_alert.toml

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/first_time_seen_elastic_defend_alert.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/cross-platform/fist_time_seen_elastic_detection_rule.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update first_time_seen_elastic_defend_alert.toml

* Update and rename fist_time_seen_elastic_detection_rule.toml to newly_observed_elastic_detection_rule.toml

* Rename first_time_seen_elastic_defend_alert.toml to newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_defend_alert.toml

* Update newly_observed_elastic_detection_rule.toml

* Update newly_observed_elastic_detection_rule.toml

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2026-01-09 10:34:32 +00:00
..
command_and_control_curl_wget_spawn_via_nodejs_parent.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
command_and_control_genai_process_suspicious_tld_connection.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
command_and_control_genai_process_unusual_domain.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
command_and_control_google_drive_malicious_file_download.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
command_and_control_non_standard_ssh_port.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
command_and_control_pan_elastic_defend_c2.toml
[New] PANW Command and Control Correlation (#5331)
2025-11-24 14:01:52 +00:00
command_and_control_socks_fortigate_endpoint.toml
[New] SOCKS Traffic from an Unusual Process (#5324)
2025-11-24 13:18:30 +00:00
command_and_control_suricata_elastic_defend_c2.toml
[New] Suricata and Elastic Defend Network Correlation (#5443)
2025-12-19 09:08:31 +00:00
credential_access_cookies_chromium_browsers_debugging.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_forced_authentication_pipes.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
credential_access_genai_process_sensitive_file_access.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
credential_access_gitleaks_execution.toml
[New Rule] Potential Secret Scanning via Gitleaks (#5377)
2025-12-02 09:42:19 +01:00
credential_access_multi_could_secrets_via_api.toml
[New] Multiple Cloud Secrets Accessed by Source Address (#5388)
2025-12-04 18:04:25 +00:00
credential_access_trufflehog_execution.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
defense_evasion_agent_spoofing_mismatched_id.toml
Update defense_evasion_agent_spoofing_mismatched_id.toml (#5312)
2025-11-13 17:26:29 +00:00
defense_evasion_agent_spoofing_multiple_hosts.toml
Update defense_evasion_agent_spoofing_multiple_hosts.toml (#5446)
2025-12-12 17:47:11 +00:00
defense_evasion_deleting_websvr_access_logs.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_deletion_of_bash_command_line_history.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_elastic_agent_service_terminated.toml
[Rule Tuning] Elastic Agent Service Terminated (#5272)
2025-11-12 08:34:34 -03:00
defense_evasion_encoding_rot13_python_script.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_genai_config_modification.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
defense_evasion_genai_process_compiling_executables.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
defense_evasion_genai_process_encoding_prior_to_network_activity.toml
[New Rules] Add MITRE ATLAS framework support and GenAI threat detection rules (#5352)
2025-12-05 12:26:56 -06:00
defense_evasion_masquerading_space_after_filename.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_potential_http_downgrade_attack.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
defense_evasion_processes_with_trailing_spaces.toml
[Rule Tuning] Linux DR BBR Tuning (#5514)
2026-01-07 16:52:40 +01:00
defense_evasion_timestomp_touch.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
defense_evasion_whitespace_padding_command_line.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
discovery_security_software_grep.toml
[Rule Tuning] Q2 Linux DR Tuning - CP (#4170)
2024-10-18 16:38:14 +02:00
discovery_virtual_machine_fingerprinting_grep.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_web_server_local_file_inclusion_activity.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
discovery_web_server_remote_file_inclusion_activity.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
execution_aws_ec2_lolbin_via_ssm.toml
[New Rule] AWS EC2 LOLBin Execution via SSM (#5354)
2025-12-05 16:14:33 -05:00
execution_aws_ssm_sendcommand_with_command_parameters.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_git_exploit_cve_2025_48384.toml
[New Rule] Potential Git CVE-2025-48384 Exploitation (#5301)
2025-11-12 15:45:52 +01:00
execution_nodejs_pre_or_post_install_script_execution.toml
[Rule Tuning] Node.js Pre or Post-Install Script Execution to Cross-Platform (#5403)
2025-12-04 09:07:12 -05:00
execution_pentest_eggshell_remote_admin_tool.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_potential_widespread_malware_infection.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_privileged_container_creation_with_host_reference.toml
[New Rule] Privileged Container Creation with Host Directory Mount (#5373)
2025-12-02 09:33:16 +01:00
execution_register_github_actions_runner.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
execution_revershell_via_shell_cmd.toml
[Docs | Rule Tuning] Add blog references to rules (#4097)
2024-09-25 15:19:20 -05:00
execution_suspicious_java_netcon_childproc.toml
[Rule Tuning] Linux DR Tuning - Part 6 (#4423)
2025-02-03 14:05:26 +01:00
execution_via_github_actions_runner.toml
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
execution_via_github_runner_with_runner_tracking_id_tampering_via_env_vars.toml
[New Rule] Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners (#5370)
2025-12-02 10:22:24 +01:00
guided_onboarding_sample_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_hosts_file_modified.toml
[Tuning] Top Noisy Rules (#5449)
2025-12-12 14:28:12 +00:00
initial_access_azure_o365_with_network_alert.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_execution_susp_react_serv_child.toml
Update initial_access_execution_susp_react_serv_child.toml (#5503)
2026-01-01 15:27:33 -03:00
initial_access_exfiltration_new_usb_device_mounted.toml
[New] New USB Storage Device Mounted (#5299)
2025-11-11 09:28:54 +00:00
initial_access_file_upload_followed_by_get_request.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
initial_access_zoom_meeting_with_no_passcode.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
multiple_alerts_by_host_ip_and_source_ip.toml
[New] Suspected Lateral Movement from Compromised Host (#5521)
2026-01-07 16:23:16 +00:00
multiple_alerts_different_tactics_host.toml
Update multiple_alerts_different_tactics_host.toml (#4854)
2025-06-27 09:53:42 -03:00
multiple_alerts_edr_elastic_defend_by_host.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
multiple_alerts_edr_elastic_same_process_tree.toml
[New] Multiple Elastic Defend Alerts from Single Process Tree (#5522)
2026-01-02 15:13:25 +00:00
multiple_alerts_elastic_defend_netsecurity_by_host.toml
[Tuning] Elastic Defend and Network Security Alerts Correlation (#5518)
2026-01-02 14:40:06 +00:00
multiple_alerts_email_elastic_defend_correlation.toml
[Tuning] Elastic Defend and Email Alerts Correlation (#5459)
2025-12-15 15:33:10 +00:00
multiple_alerts_from_different_modules_by_dstip.toml
[New] Alerts From Multiple Integrations by Entity (#5460)
2025-12-18 18:04:58 +00:00
multiple_alerts_from_different_modules_by_srcip.toml
[New] Alerts From Multiple Integrations by Entity (#5460)
2025-12-18 18:04:58 +00:00
multiple_alerts_from_different_modules_by_user.toml
[New] Alerts From Multiple Integrations by Entity (#5460)
2025-12-18 18:04:58 +00:00
multiple_alerts_involving_user.toml
[Rule Tuning] Multiple Alerts Involving a User (#5498)
2025-12-19 12:57:25 -03:00
multiple_alerts_risky_host_esql.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
newly_observed_elastic_defend_alert.toml
[New] First Time Seen Elastic Defend Behavior Alert (#5528)
2026-01-09 10:34:32 +00:00
newly_observed_elastic_detection_rule.toml
[New] First Time Seen Elastic Defend Behavior Alert (#5528)
2026-01-09 10:34:32 +00:00
persistence_credential_access_modify_auth_module_or_config.toml
[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration (#5421)
2025-12-08 18:54:23 +05:30
persistence_shell_profile_modification.toml
[Tuning] Diverse Rules Tuning (#5482)
2025-12-18 15:30:12 +00:00
persistence_ssh_authorized_keys_modification.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
persistence_web_server_potential_command_injection.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
privilege_escalation_echo_nopasswd_sudoers.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
privilege_escalation_sudo_buffer_overflow.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sudoers_file_mod.toml
[Rule Tuning] Linux DR CP Tuning (#5512)
2026-01-07 16:40:37 +01:00
privilege_escalation_trap_execution.toml
[Rule Tuning] Linux DR BBR Tuning (#5514)
2026-01-07 16:52:40 +01:00
reconnaissance_web_server_discovery_or_fuzzing_activity.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
reconnaissance_web_server_unusual_spike_in_error_logs.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
reconnaissance_web_server_unusual_spike_in_error_response_codes.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00
reconnaissance_web_server_unusual_user_agents.toml
[Rule Tuning] Interval fix + Datastream values to ESQL Rules (#5413)
2025-12-05 16:42:52 +01:00