security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f8f4c0476b0e18193c7f2f0d6eff77f808b86913
sigma-rules/rules
T
History
Isai f8f4c0476b [Rule Tuning] AWS EFS File System Deleted (#5369) 
`DeleteFileSystem` permanently removes an Amazon EFS file system and all stored data. This operation has no recovery path and represents a clear Impact-level destructive action when performed unintentionally or by an unauthorized actor. It is rare in most environments and typically limited to infrastructure teardown or automated provisioning workflows.

Currently this rule also matches `DeleteMountTarget` events. This action appears frequently in normal EFS lifecycle workflows and is not, by itself, a strong indicator of malicious intent. Since only `DeleteFileSystem` represents irreversible destructive impact, the rule has been narrowed to focus exclusively on the meaningful threat behavior.

- removed `DeleteMountTarget` scope from query
- rule name change and toml file name change to match new scope
- reduced execution window
- updated tags
- updated description, FP and IG
- added highlighted fields
2025-12-02 18:45:02 -05:00
..
_deprecated
[Deprecation] Deprecated - AWS Root Login Without MFA (#5351)
2025-11-24 10:01:40 -05:00
apm
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cross-platform
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
integrations
[Rule Tuning] AWS EFS File System Deleted (#5369)
2025-12-02 18:45:02 -05:00
linux
[New/Tuning] NPM Shai-Hulud coverage (#5368)
2025-12-02 10:57:12 +00:00
macos
Update command_and_control_unusual_network_connection_to_suspicious_web_service.toml (#5008)
2025-08-26 13:03:59 +01:00
ml
add mitre attack rules for ML job rules, bump dates (#5333)
2025-12-01 15:48:59 -06:00
network
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
promotions
Prep 9.2 (#5231)
2025-10-17 21:01:13 +05:30
threat_intel
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
windows
[Rule Tuning] Potential PowerShell Obfuscated Script (#5389)
2025-12-02 08:30:54 -08:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink