sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Add correlation rules from AT project

Open tonifef opened this issue 8 months ago • 1 comments

Summary of the Pull Request

Adding three new correlation rules that reduce false positives in the detection of ambiguous attack techniques.

Changelog

new: Domain Account Discovery Correlation - Multiple discovery command usage new: File and Directory Discovery Correlation - Discovery indicative of ransomware using Bitlocker new: Archive Collected Data Correlation - Multiple instances of archiving activity observed

Example Log Event

Detailed info on analytic development can be found at the following links:

  • https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/domain_account_discovery/
  • https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/file_directory_discovery/
  • https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/archive_collected_data/

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

tonifef avatar May 13 '25 20:05 tonifef

Hi @tonifef, we are not ready to integrate Sigma v2 correlation rules to the rules repo yet. We will keep this PR open until we are ready to do so and then start working on integrating it.

phantinuss avatar May 27 '25 09:05 phantinuss

Will be migrated as part of the correlation support coming next year

nasbench avatar Nov 17 '25 00:11 nasbench