security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b4c84e8a40ecefd3ce88838740fb977e3a5d1b63
sigma-rules/rules
T
History
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2023-06-22 18:38:56 -03:00
..
_deprecated
[Rule Tuning] Potential Shell via Web Server (#2585)
2023-05-05 09:47:49 +02:00
apm
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
cross-platform
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
integrations
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
linux
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
macos
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
ml
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
network
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
promotions
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
windows
[Security Content] Tags Reform (#2725)
2023-06-22 18:38:56 -03:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink