security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bf1dc2547f58e92b23fca3d937dbdb64d29442ec
sigma-rules/rules
T
History
Isai bf1dc2547f [Rule Tunings] AWS SSM Command Document Created by Rare User (#4848) 
* [Rule Tunings] AWS SSM Command Document Created by Rare User

## AWS SSM Command Document Created by Rare User
Rule executes as expected and has very few alerts in telemetry. However, it is one of the rules timing out occasionally.
- reduced execution window
- reduced new terms history window
- replaced wildcards with the flattened field in the query, which should improve performance
- replaced `aws.cloudtrail.user_identity.arn` with combination of `cloud.account.id` and `user.name` to account for Assumed Roles. This will only evaluate the role instead of each individual role session, which will improve performance.
- added investigation fields
- corrected tags
- added mitre technique

## AWS SSM `SendCommand` Execution by Rare User"
- added investigation fields
- added tag

* update pyproject.toml

update pyproject.toml version
2025-06-27 13:24:27 -04:00
..
_deprecated
[Deprecation] Suspicious File Creation in /etc for Persistence (#4850)
2025-06-27 10:14:53 +02:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
Update multiple_alerts_different_tactics_host.toml (#4854)
2025-06-27 09:53:42 -03:00
integrations
[Rule Tunings] AWS SSM Command Document Created by Rare User (#4848)
2025-06-27 13:24:27 -04:00
linux
[Deprecation] Suspicious File Creation in /etc for Persistence (#4850)
2025-06-27 10:14:53 +02:00
macos
[Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547)
2025-04-22 21:23:01 +05:30
ml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
network
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
promotions
Update Max signals value to supported limits (#4556)
2025-03-27 09:02:25 +05:30
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
Update command_and_control_new_terms_commonly_abused_rat_execution.toml (#4842)
2025-06-25 12:39:48 -03:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink