security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fa0310d0fb60e907ba3794facefec8287733a6f3
sigma-rules/rules
T
History
Isai fa0310d0fb [New Rule] Kubernetes Anonymous Request Authorized (#2300) 
* [New Rule] Kubernetes Anonymous Request Authorized

## Issue
#2038

## Summary
This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use
anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster.
This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.

* [New Rule] Kubernetes Suspicious Change to Privileges of Running Security Context

## Issue
https://github.com/elastic/detection-rules/issues/2032

## Summary

* Delete non-ecs-schema.json

* Delete privilege_escalation_suspicious_change_to_privileges_of_running_security_context.toml

* Create non-ecs-schema.json

* Update detection_rules/etc/non-ecs-schema.json

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2022-09-19 11:33:09 -05:00
..
_deprecated
[Deprecate Rule] Suspicious Process from Conhost (#2222)
2022-08-16 16:32:24 +02:00
apm
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
cross-platform
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
integrations
[New Rule] Kubernetes Anonymous Request Authorized (#2300)
2022-09-19 11:33:09 -05:00
linux
Linux rule to detect potential ssh brute force attack (#2291)
2022-09-19 20:26:18 +05:30
macos
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
ml
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
network
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
promotions
min_stack all rules to 8.3 (#2259)
2022-08-24 10:38:49 -06:00
windows
[New Rule] Full User-Mode Dumps Enabled System-Wide (#2276)
2022-09-15 16:57:00 -03:00
README.md
[New Rule] Endpoint Security Behavior Protection (#1440)
2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder description
. Root directory where rules are stored
apm/ Rules that use Application Performance Monitoring (APM) data sources
cross-platform/ Rules that apply to multiple platforms, such as Windows and Linux
integrations/ Rules organized by Fleet integration
linux/ Rules for Linux or other Unix based operating systems
macos/ Rules for macOS
ml/ Rules that use machine learning jobs (ML)
network/ Rules that use network data sources
promotions/ Rules that promote external alerts into detection engine alerts
windows/ Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder integration
aws/ Amazon Web Services (AWS)
azure/ Microsoft Azure
cyberarkpas/ Cyber Ark Privileged Access Security
endpoint/ Elastic Endpoint Security
gcp/ Google Cloud Platform (GCP)
google_workspace/ Google Workspace (formerly GSuite)
o365/ Microsoft Office
okta/ Oka
Reference in New Issue View Git Blame Copy Permalink