security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fda139f4bf13cd379cc8612cab1f4da1f61ba23f
sigma-rules/rules/cross-platform
T
History
Samirbous fda139f4bf [New] Alerts in Different ATT&CK Tactics by Host (#5343) 
* [New] Alerts in Different ATT&CK Tactics by Host

Using ES|QL and alerts risk score to identify top risky hosts based on presence of multiple alert touching at least 4 unique tactics in a 24h time Window.

* Update multiple_alerts_risky_host_esql.toml

* Update multiple_alerts_risky_host_esql.toml

* Update multiple_alerts_risky_host_esql.toml

* Update multiple_alerts_risky_host_esql.toml

* Update multiple_alerts_risky_host_esql.toml

* Update non-ecs-schema.json

* ++

* Update multiple_alerts_edr_elastic_defend_by_host.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2025-11-24 22:46:09 +05:30
..
command_and_control_google_drive_malicious_file_download.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
command_and_control_non_standard_ssh_port.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
command_and_control_pan_elastic_defend_c2.toml
[New] PANW Command and Control Correlation (#5331)
2025-11-24 14:01:52 +00:00
command_and_control_socks_fortigate_endpoint.toml
[New] SOCKS Traffic from an Unusual Process (#5324)
2025-11-24 13:18:30 +00:00
credential_access_cookies_chromium_browsers_debugging.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
credential_access_forced_authentication_pipes.toml
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464)
2025-02-19 12:54:31 -03:00
credential_access_trufflehog_execution.toml
Monthly Schema Updates (#5187)
2025-10-06 21:39:14 +05:30
defense_evasion_agent_spoofing_mismatched_id.toml
Update defense_evasion_agent_spoofing_mismatched_id.toml (#5312)
2025-11-13 17:26:29 +00:00
defense_evasion_agent_spoofing_multiple_hosts.toml
[Tuning] Agent Spoofing - Multiple Hosts Using Same Agent (#5313)
2025-11-24 12:59:49 +00:00
defense_evasion_deleting_websvr_access_logs.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
defense_evasion_deletion_of_bash_command_line_history.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_elastic_agent_service_terminated.toml
[Rule Tuning] Elastic Agent Service Terminated (#5272)
2025-11-12 08:34:34 -03:00
defense_evasion_encoding_rot13_python_script.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_masquerading_space_after_filename.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_timestomp_touch.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_whitespace_padding_command_line.toml
[New] Command Line Obfuscation via Whitespace Padding (#4860)
2025-08-18 15:26:52 +01:00
discovery_security_software_grep.toml
[Rule Tuning] Q2 Linux DR Tuning - CP (#4170)
2024-10-18 16:38:14 +02:00
discovery_virtual_machine_fingerprinting_grep.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_aws_ssm_sendcommand_with_command_parameters.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_git_exploit_cve_2025_48384.toml
[New Rule] Potential Git CVE-2025-48384 Exploitation (#5301)
2025-11-12 15:45:52 +01:00
execution_pentest_eggshell_remote_admin_tool.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_potential_widespread_malware_infection.toml
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
execution_revershell_via_shell_cmd.toml
[Docs | Rule Tuning] Add blog references to rules (#4097)
2024-09-25 15:19:20 -05:00
execution_suspicious_java_netcon_childproc.toml
[Rule Tuning] Linux DR Tuning - Part 6 (#4423)
2025-02-03 14:05:26 +01:00
guided_onboarding_sample_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_hosts_file_modified.toml
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00
initial_access_azure_o365_with_network_alert.toml
[Rule Tuning] Microsoft Azure or Mail Sign-in from a Suspicious Source (#4946)
2025-07-31 09:57:02 -04:00
initial_access_exfiltration_new_usb_device_mounted.toml
[New] New USB Storage Device Mounted (#5299)
2025-11-11 09:28:54 +00:00
initial_access_zoom_meeting_with_no_passcode.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
multiple_alerts_different_tactics_host.toml
Update multiple_alerts_different_tactics_host.toml (#4854)
2025-06-27 09:53:42 -03:00
multiple_alerts_edr_elastic_defend_by_host.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
multiple_alerts_elastic_defend_netsecurity_by_host.toml
[New] Elastic Defend and Network Security Alerts Correlation (#5332)
2025-11-24 22:15:15 +05:30
multiple_alerts_email_elastic_defend_correlation.toml
[New] Elastic Defend and Email Alerts Correlation (#5336)
2025-11-24 22:26:00 +05:30
multiple_alerts_involving_user.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
multiple_alerts_risky_host_esql.toml
[New] Alerts in Different ATT&CK Tactics by Host (#5343)
2025-11-24 22:46:09 +05:30
persistence_credential_access_modify_auth_module_or_config.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_shell_profile_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_ssh_authorized_keys_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_echo_nopasswd_sudoers.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sudo_buffer_overflow.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_sudoers_file_mod.toml
[Rule Tuning] Sudoers File Modification (#4904)
2025-07-16 10:17:51 +02:00