Description
This is a collection of SIEM detection rules in Elastic Security for proxy and web server logs based on the Sigma project. This rule collection checks about suspicious events to find common threats.
Elastic Security detection rules based on Sigma rules
APT40 Dropbox Tool User Agent
Detects suspicious user agent string of APT40 Dropbox tool
Domestic Kitten FurBall Malware Pattern
Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group
Chafer Malware URL Pattern
Detects HTTP requests used by Chafer malware
CobaltStrike Malleable Amazon Browsing Traffic Profile
Detects Malleable Amazon Profile
CobaltStrike Malleable (OCSP) Profile
Detects Malleable (OCSP) Profile with Typo (OSCP) in URL
CobaltStrike Malleable OneDrive Browsing Traffic Profile
Detects Malleable OneDrive Profile
Windows WebDAV User Agent
Detects WebDav DownloadCradle
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
Download from Suspicious TLD
Detects download of certain file types from hosts in suspicious TLDs
Download EXE from Suspicious TLD
Detects executable downloads from suspicious remote systems
Empire UserAgent URI Combo
Detects user agent and URI paths used by empire agents
Empty User Agent
Detects suspicious empty user agent strings in proxy logs
iOS Implant URL Pattern
Detects URL pattern used by iOS Implant
Windows PowerShell User Agent
Detects Windows PowerShell Web Access
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Raw Paste Service Access
Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
Telegram API Access
Detects suspicious requests to Telegram API without the usual Telegram User-Agent
Turla ComRAT
Detects Turla ComRAT patterns
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Hack Tool User Agent
Detects suspicious user agent strings user by hack tools in proxy logs
Malware User Agent
Detects suspicious user agent strings used by malware in proxy logs
Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs
Source
These rules are made by the Sigma Project. This is a collection of rules for several different attack tactics. The rules are created by the Sigma community and translated into the format for the Elastic Security Detection engine.
The translation was made with SIEGMA
| Tested versions | 7.12 |
| ECS compliant |
You must log in to submit a review.
