security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d47d87386c76bc6b7b0fc211cfe365143b22dee0
sigma-rules/rules
T
History
Isai d47d87386c [Rule Tuning] AWS RDS Snapshot Restored (#3809) 
* [Tuning] AWS RDS Instance Restored

-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added

* Update defense_evasion_rds_instance_restored.toml

* Update defense_evasion_rds_instance_restored.toml

* removed investigation guide place holder

* deprecated old rule because of name change

* change rule_id

* Revert "change rule_id"

This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.

* Revert "deprecated old rule because of name change"

This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.

(cherry picked from commit f62644887e)
2024-06-29 00:46:01 +00:00
..
_deprecated
[Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory (#3477)
2024-04-01 15:08:51 +00:00
apm
Back-porting Version Trimming (#3704)
2024-05-22 19:18:10 +00:00
cross-platform
[Rule Tuning] SUID/SGID Bit Set (#3802)
2024-06-27 14:31:05 +00:00
integrations
[Rule Tuning] AWS RDS Snapshot Restored (#3809)
2024-06-29 00:46:01 +00:00
linux
[New Rules] Git Hook Execution/File Creation (#3832)
2024-06-28 09:37:47 +00:00
macos
Refresh MITRE Attack v15.1.0 (#3725)
2024-06-04 14:48:18 +00:00
ml
Adding setup templates to the ML rules (#3798)
2024-06-19 14:08:24 +00:00
network
Back-porting Version Trimming (#3704)
2024-05-22 19:18:10 +00:00
promotions
Back-porting Version Trimming (#3704)
2024-05-22 19:18:10 +00:00
threat_intel
[Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule (#3800)
2024-06-20 19:20:05 +00:00
windows
Update defense_evasion_microsoft_defender_tampering.toml (#3840)
2024-06-28 07:19:18 +00:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink