Elastic security
Download Now

Description

This is a collection of SIEM detection rules in Elastic Security for proxy and web server logs based on the Sigma project. This rule collection checks about suspicious events to find common threats.

Elastic Security detection rules based on Sigma rules

APT40 Dropbox Tool User Agent
Detects suspicious user agent string of APT40 Dropbox tool

Domestic Kitten FurBall Malware Pattern
Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group

Chafer Malware URL Pattern
Detects HTTP requests used by Chafer malware

CobaltStrike Malleable Amazon Browsing Traffic Profile
Detects Malleable Amazon Profile

CobaltStrike Malleable (OCSP) Profile
Detects Malleable (OCSP) Profile with Typo (OSCP) in URL

CobaltStrike Malleable OneDrive Browsing Traffic Profile
Detects Malleable OneDrive Profile

Windows WebDAV User Agent
Detects WebDav DownloadCradle

Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)

Download from Suspicious TLD
Detects download of certain file types from hosts in suspicious TLDs

Download EXE from Suspicious TLD
Detects executable downloads from suspicious remote systems

Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents

Empty User Agent
Detects suspicious empty user agent strings in proxy logs

iOS Implant URL Pattern
Detects URL pattern used by iOS Implant

Windows PowerShell User Agent
Detects Windows PowerShell Web Access

PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location

Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Turla ComRAT
Detects Turla ComRAT patterns

APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs

Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs

Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs

Malware User Agent
Detects suspicious user agent strings used by malware in proxy logs

Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs

Source

These rules are made by the Sigma Project. This is a collection of rules for several different attack tactics. The rules are created by the Sigma community and translated into the format for the Elastic Security Detection engine.

The translation was made with SIEGMA 

Tested versions 7.12
ECS compliant

You must log in to submit a review.

Related downloads

Elastic security

Sigma Windows Process Creation detection rules

content share admin by content share admin

A collection of rules based on the Sigma rules for Windows (process creation folder) based on Winlogbeat data .

Download Now
cloudflare

Cloudflare Kibana dashboards

content share admin by content share admin

Cloudflare dashboards and ingest pipelines to visualize cloudflare logs

Download Now
office-365-dashboard

Office 365 dashboards

content share admin by content share admin

A collection of Kibana dashboards to provide a holistic view of Microsoft Office 365 environments

Download Now
AWS Cloudtrail Dashboard

AWS Cloudtrail Monitoring dashboard

content share admin by content share admin

Deep insights into AWS Cloudtrail events for SIEM and Monitoring

Download Now
Elastic security

Sigma detection rules for proxy server logs

content share admin by content share admin

A collection of rules based on the Sigma detection rules for proxy server and web server looks, e.g. zeek or suricata.

Download Now
Elastic security

Sigma AWS Cloudtrail Detection rules

content share admin by content share admin

A collection of rules based on the Sigma rules for AWS based on the Filebeat AWS module and Elastic agent integration.

Download Now

These downloads could be also interesting for you

vega-scatterplot

Vega Scatterplot Kibana visualization

content share admin by content share admin

A scatterplot visualization made with Vega Lite for Kibana

Download Now
Elastic Stack Monitoring

Elastic Stack Monitoring Dashboard

Jeff Vestal

Kibana dashboards that is showing the monitoring data collected by Elastics in built monitoring capabilities.

Download Now
Elasticsearch Performance Troubleshooting Kit

Elasticsearch Performance Troubleshooting Kit

content share admin by content share admin

Download the Elasticsearch Performance Troubleshooting Kit to efficiently diagnose and resolve slow query issues in your Elasticsearch environment.

Download Now
Resource Optimization Dashboard

Resource Optimization Dashboard

content share admin by content share admin

Elastic Resource Optimization Dashboard to seamlessly integrate APM insights with cloud cost data for actionable resource management and cost-saving strategies

Download Now

Kibana Enhanced Table plugin

Fabien Baligand

Data Table visualization with enhanced features like computed columns, pivot table or filter bar

Download Now
Elastic security

Sigma Windows inbuilt detection rules

content share admin by content share admin

A collection of rules based on the Sigma rules for Windows (inbuilt folder) based on Winlogbeat data .

Download Now