New Rules

• new: AWS S3 Bucket Versioning Disable
• new: DNS Query To Devtunnels And VsCode Tunnels
• new: Diamond Sleet APT DLL Sideloading Indicators
• new: Diamond Sleet APT DNS Communication Indicators
• new: Diamond Sleet APT File Creation Indicators
• new: Diamond Sleet APT Process Activity Indicators
• new: Diamond Sleet APT Scheduled Task Creation
• new: Diamond Sleet APT Scheduled Task Creation - Registry
• new: Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback
• new: Exploitation Indicators Of CVE-2023-20198
• new: New Okta User Created
• new: Okta 2023 Breach Indicator Of Compromise
• new: Okta Admin Functions Access Through Proxy
• new: Okta Password Health Report Query
• new: Onyx Sleet APT File Creation Indicators
• new: Potential Pikabot C2 Activity - Suspicious Process Created By Rundll32.EXE
• new: Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE
• new: Potential Pikabot Hollowing Activity - Suspicious Process Created By Rundll32.EXE
• new: Renamed Visual Studio Code Tunnel Execution
• new: Renamed VsCode Code Tunnel Execution - File Indicator
• new: Security Tools Keyword Lookup Via Findstr.EXE
• new: Suspicious Unsigned Thor Scanner Execution
• new: Visual Studio Code Tunnel Execution
• new: Visual Studio Code Tunnel Remote File Creation
• new: Visual Studio Code Tunnel Service Installation
• new: Visual Studio Code Tunnel Shell Execution
• new: VsCode Code Tunnel Execution File Indicator

Updated Rules

• update: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
• update: Antivirus Relevant File Paths Alerts
• update: Csc.EXE Execution Form Potentially Suspicious Parent - add more MS Office tools, suspicious locations and filter known FPs
• update: Delete Volume Shadow Copies Via WMI With PowerShell
• update: Dump Ntds.dit To Suspicious Location
• update: Dynamic .NET Compilation Via Csc.EXE - add more suspicious locations
• update: HackTool - CrackMapExec - Fix logic
• update: Linux HackTool Execution - Increase coverage by adding more tools
• update: Linux Network Service Scanning Tools Execution - Increase coverage by adding more tools
• update: MSI Installation From Suspicious Locations
• update: Malware User Agent - Increase UAs coverage
• update: Netcat The Powershell Version
• update: Obfuscated IP Download Activity - increase coverage for more types of obfuscation and fix logic
• update: Obfuscated IP Via CLI - increase coverage for more types of obfuscation and fix logic
• update: Okta New Admin Console Behaviours - Field notation
• update: Port Forwarding Activity Via SSH.EXE - Increase coverage
• update: Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy - Fix typo in rule title
• update: Potential Information Disclosure CVE-2023-43261 Exploitation - Web - Fix typo in rule title
• update: Potential Okta Password in AlternateID Field - Field notation
• update: Potential SPN Enumeration Via Setspn.EXE - Increase coverage by adding /q switch
• update: Potentially Suspicious Cabinet File Expansion - Increase coverage
• update: Potentially Suspicious Child Process Of VsCode
• update: PowerShell Called from an Executable Version Mismatch
• update: PowerShell Downgrade Attack - PowerShell
• update: PowerShell Profile Modification - Reduce rule level to medium
• update: Recon Command Output Piped To Findstr.EXE - Logic re-write
• update: Registry Persistence via Service in Safe Mode - Fix typo in title
• update: Remote PowerShell Session (PS Classic)
• update: Renamed Powershell Under Powershell Channel
• update: Security Software Discovery Via Powershell Script - Enhance logic, increase level to medium and demote to experimental
• update: Suspicious File Creation Activity From Fake Recycle.Bin Folder - Increase coverage
• update: Suspicious Non PowerShell WSMAN COM Provider
• update: Suspicious PowerShell Download
• update: Suspicious Process Execution From Fake Recycle.Bin Folder - Increase coverage
• update: Suspicious XOR Encoded PowerShell Command Line - PowerShell
• update: Tamper Windows Defender - PSClassic
• update: Uncommon PowerShell Hosts
• update: Use Get-NetTCPConnection
• update: Weak or Abused Passwords In CLI - Increase coverage
• update: Zip A Folder With PowerShell For Staging In Temp - PowerShell

Fixed Rules

• fix: Creation of an Executable by an Executable
• fix: File or Folder Permissions Modifications
• fix: Import New Module Via PowerShell CommandLine
• fix: Potential Active Directory Reconnaissance/Enumeration Via LDAP - Update logsource
• fix: Potential System DLL Sideloading From Non System Locations
• fix: Process Terminated Via Taskkill
• fix: Suspicious Non-Browser Network Communication With Google API - Fix escaped wildcard issue and Update modifiers
• fix: Suspicious Sysmon as Execution Parent - Typo and restructure
• fix: Uncommon PowerShell Hosts - Fix escaped wildcard issue

Acknowledgement

Thanks to @citronninja, @EzLucky, @faisalusuf, @frack113, @fukusuket, @gs3cl, @nasbench, @netgrain, @phantinuss, @sifex, @sj-sec, @tjgeorgen, @ts-lbf, @Tuutaans, @wagga40, @X-Junior for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

New Rules

• new: BlueSky Ransomware Artefacts
• new: Certificate Use With No Strong Mapping
• new: DarkGate - Autoit3.EXE Execution Parameters
• new: DarkGate - Autoit3.EXE File Creation By Uncommon Process
• new: File Download From IP Based URL Via CertOC.EXE
• new: File Download From IP URL Via Curl.EXE
• new: HackTool - CoercedPotato Execution
• new: HackTool - CoercedPotato Named Pipe Creation
• new: LSASS Process Memory Dump Creation Via Taskmgr.EXE
• new: Lazarus APT DLL Sideloading Activity
• new: MSSQL Server Failed Logon
• new: MSSQL Server Failed Logon From External Network
• new: Mail Forwarding/Redirecting Activity In O365
• new: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
• new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
• new: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
• new: Potential Information Discolosure CVE-2023-43261 Exploitation - Proxy
• new: Potential Information Discolosure CVE-2023-43261 Exploitation - Web
• new: PowerShell Script Execution Policy Enabled
• new: Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
• new: Rundll32.EXE Calling DllRegisterServer Export Function Explicitly

Updated Rules

• update: ADSI-Cache File Creation By Uncommon Tool
• update: Alternate PowerShell Hosts Pipe
• update: Arbitrary File Download Via GfxDownloadWrapper.EXE
• update: DarkGate - User Created Via Net.EXE
• update: File Download via CertOC.EXE
• update: Files With System Process Name In Unsuspected Locations
• update: PSScriptPolicyTest Creation By Uncommon Process
• update: Potential PowerShell Execution Policy Tampering
• update: Potential Webshell Creation On Static Website - Increase coverage with new extensions.
• update: Potentially Suspicious Office Document Executed From Trusted Location
• update: PowerShell Module File Created By Non-PowerShell Process
• update: PowerShell Profile Modification
• update: Remote Thread Creation By Uncommon Source Image
• update: Remote Thread Creation In Uncommon Target Image
• update: Renamed CURL.EXE Execution - Extended filter
• update: Suspicious File Download From IP Via Curl.EXE
• update: Suspicious LNK Double Extension File Created

Fixed Rules

• fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
• fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
• fix: Control Panel Items - FP with command line observed from taskhost.exe
• fix: Direct Syscall of NtOpenProcess - FP with another Firefox process and removing drive letters
• fix: Direct Syscall of NtOpenProcess - falsepositives meta data
• fix: Execution of Suspicious File Type Extension - FP with OpenOffice
• fix: Google Workspace Application Removed - Update logsource product field to gcp
• fix: Google Workspace Granted Domain API Access - Update logsource product field to gcp
• fix: Google Workspace MFA Disabled - Update logsource product field to gcp
• fix: Google Workspace Role Modified or Deleted - Update logsource product field to gcp
• fix: Google Workspace Role Privilege Deleted - Update logsource product field to gcp
• fix: Google Workspace User Granted Admin Privileges - Update logsource product field to gcp
• fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
• fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
• fix: Potential Shellcode Injection - remove System.ni.dll as there are multiple FPs with ntdll.dll
• fix: Potentially Suspicious AccessMask Requested From LSASS - FP with Avira from Windows temp folder
• fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
• fix: Rundll32 Execution Without DLL File - remove non-essential ParentCommandLine dependency in filter
• fix: Schtasks Creation Or Modification With SYSTEM Privileges - remove non-essential ParentImage dependency in filter
• fix: Suspicious Elevated System Shell - FP with Avira update utility
• fix: Suspicious Elevated System Shell - remove non-essential ParentImage dependency in filter
• fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with another sdbinst execution by svchost
• fix: Suspicious Sysmon as Execution Parent - add WERFaultSecure.exe as exception
• fix: System File Execution Location Anomaly - add pwsh 7 preview path as exception

Acknowledgement

Thanks to @frack113, @netgrain, @cyb3rjy0t, @greg-workspace, @mbabinski, @nasbench, @Neo23x0, @phantinuss, @swachchhanda000, @ThureinOo, @br4dy5 for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

The latest release package on GitHub can always be found here.

New Rules

• new: ADS Zone.Identifier Deleted
• new: ADS Zone.Identifier Deleted By Uncommon Application
• new: AWS Identity Center Identity Provider Change
• new: Access To .Reg/.Hive Files By Uncommon Application
• new: Activity From Anonymous IP Address
• new: AddinUtil.EXE Execution From Uncommon Directory
• new: Anomalous User Activity
• new: Application Terminated Via Wmic.EXE
• new: Atypical Travel
• new: Azure AD Account Credential Leaked
• new: Azure AD Threat Intelligence
• new: Browser Execution In Headless Mode
• new: CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
• new: CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
• new: CVE-2023-40477 Potential Exploitation - .REV File Creation
• new: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
• new: Chromium Browser Headless Execution To Mockbin Like Site
• new: DMP/HDMP File Creation
• new: DarkGate User Created Via Net.EXE
• new: Disabling Multi Factor Authenication
• new: Diskshadow Child Process Spawned
• new: Diskshadow Script Mode - Execution From Potential Suspicious Location
• new: Diskshadow Script Mode - Uncommon Script Extension Execution
• new: ESXi Account Creation Via ESXCLI
• new: ESXi Admin Permission Assigned To Account Via ESXCLI
• new: ESXi Network Configuration Discovery Via ESXCLI
• new: ESXi Storage Information Discovery Via ESXCLI
• new: ESXi Syslog Configuration Change Via ESXCLI
• new: ESXi System Information Discovery Via ESXCLI
• new: ESXi VM Kill Via ESXCLI
• new: ESXi VM List Discovery Via ESXCLI
• new: ESXi VSAN Information Discovery Via ESXCLI
• new: Hypervisor Enforced Code Integrity Disabled
• new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols
• new: IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI
• new: IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
• new: Impossible Travel
• new: Invalid PIM License
• new: LOL-Binary Copied From System Directory
• new: LSASS Dump Keyword In CommandLine
• new: Malicious Driver Load
• new: Malicious Driver Load By Name
• new: Malicious IP Address Sign-In Failure Rate
• new: Malicious IP Address Sign-In Suspicious
• new: Network Connection Initiated By AddinUtil.EXE
• new: New Country
• new: New Federated Domain Added
• new: Okta Identity Provider Created
• new: Okta New Admin Console Behaviours
• new: Okta Suspicious Activity Reported by End-user
• new: Okta User Session Start Via An Anonymising Proxy Service
• new: Old TLS1.0/TLS1.1 Protocol Version Enabled
• new: Password Spray Activity
• new: Potentially Suspicious Child Process Of DiskShadow.EXE
• new: Potentially Suspicious Child Process Of WinRAR.EXE
• new: Potentially Suspicious DMP/HDMP File Creation
• new: Potentially Suspicious Electron Application CommandLine
• new: Primary Refresh Token Access Attempt
• new: Remote Access Tool - ScreenConnect Command Execution
• new: Remote Access Tool - ScreenConnect File Transfer
• new: Remote Access Tool - ScreenConnect Remote Command Execution
• new: Remote Access Tool - ScreenConnect Temporary File
• new: Remote DLL Load Via Rundll32.EXE
• new: Renamed CURL.EXE Execution
• new: Roles Activated Too Frequently
• new: Roles Activation Doesn't Require MFA
• new: Roles Are Not Being Used
• new: Roles Assigned Outside PIM
• new: SAML Token Issuer Anomaly
• new: Sign-In From Malware Infected IP
• new: Stale Accounts In A Privileged Role
• new: Suspicious AddinUtil.EXE CommandLine Execution
• new: Suspicious Browser Activity
• new: Suspicious Inbox Forwarding Identity Protection
• new: Suspicious Inbox Manipulation Rules
• new: Too Many Global Admins
• new: Uncommon AddinUtil.EXE CommandLine Execution
• new: Uncommon Child Process Of AddinUtil.EXE
• new: Unfamiliar Sign-In Properties
• new: VMMap Signed Dbghelp.DLL Potential Sideloading
• new: Vulnerable Driver Load
• new: Vulnerable Driver Load By Name

Updated Rules

• update: 7Zip Compressing Dump Files - Increase coverage
• update: 7Zip Compressing Dump Files - Reduce level
• update: Access To Browser Credential Files By Uncommon Application
• update: Access To Windows Credential History File By Uncommon Application
• update: Access To Windows DPAPI Master Keys By Uncommon Application
• update: Added some bypass methods used by SQLI Injectors.
• update: Amsi.DLL Loaded Via LOLBIN Process - Reduce level to medium
• update: COM Hijack via Sdclt - Fix Logic
• update: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Increase coverage
• update: Creation of an Executable by an Executable - Fix FP
• update: Credential Manager Access By Uncommon Application
• update: DLL Load By System Process From Suspicious Locations - Reduce level to medium
• update: DNS Query Request By Regsvr32.EXE - Reduce level to medium
• update: DNS Query To MEGA Hosting Website - DNS Client - Update title and reduce level to medium
• update: DNS Query To MEGA Hosting Website - Reduce level to low and update metadata
• update: DNS Query To Remote Access Software Domain From Non-Browser App - Increase coverage with new domains
• update: DNS Query To Ufile.io - DNS Client - Update title and reduce level to low
• update: DNS Query To Ufile.io - Update title and reduce level to low
• update: DNS Query Tor .Onion Address - Sysmon - Update title
• update: DNS Server Discovery Via LDAP Query - Reduce level to low and update FP filters
• update: Detects path traversal exploitation attempts - Increase coverage
• update: Detects sql injection exploitation attempts - Increase coverage
• update: Diskshadow Script Mode Execution
• update: DriverQuery.EXE Execution - Increase coverage
• update: File Download From Browser Process Via Inline Link
• update: Fsutil Suspicious Invocation - add "setZeroData" coverage
• update: Greedy File Deletion Using Del - Increase coverage
• update: LOLBIN Execution From Abnormal Drive
• update: LSASS Memory Dump File Creation - Deprecated
• update: LSASS Process Memory Dump Files - Add PPLBlade default dump file indicator
• update: Leviathan Registry Key Activity - Fix logic
• update: Linux Network Service Scanning - Auditd - Update coverage to add ncat and nc.openbsd
• update: Network Connection Initiated By Regsvr32.EXE - Reduce level to medium and metadata update
• update: New Federated Domain Added - Exchange
• update: New Firewall Rule Added In Windows Firewall Exception List - update logic
• update: Non Interactive PowerShell Process Spawned - Increase coverage
• update: Ntdsutil Abuse - Update ATT&CK tags
• update: OceanLotus Registry Activity - Fix Logic
• update: Office Application Startup - Office Test - Fix Logic
• update: OneNote Attachment File Dropped In Suspicious Location - Fix FP
• update: Potential Browser Data Stealing - Increase coverage with more browsers
• update: Potential Dead Drop Resolvers - Increase coverage with new domains
• update: Potential Persistence Via COM Hijacking From Suspicious Locations - Increase coverage and fix logic
• update: Potential Persistence Via COM Search Order Hijacking - Fix Logic
• update: Potential Process Hollowing Activity - Update FP filters
• update: Potential Recon Activity Using DriverQuery.EXE - Increase coverage
• update: Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Reduce level to medium
• update: Potentially Suspicious Compression Tool Parameters
• update: Potentially Suspicious Event Viewer Child Process - Update metadata
• update: Potentially Suspicious Windows App Activity - Fix FP, increase coverage and reduce level
• update: PowerShell Initiated Network Connection - Update description
• update: PowerShell Module File Created By Non-PowerShell Process - Fix FP
• update: PsExec Tool Execution From Suspicious Locations - PipeName - Reduce level to medium
• update: Python Image Load By Non-Python Process - Update description and title
• update: Python Initiated Connection - Update FP filter
• update: Qakbot Uninstaller Execution - add new hashes
• update: Remote Thread Creation By Uncommon Source Image - Update FP filter
• update: Renamed AutoIt Execution - Increase coverage
• update: Rundll32 Execution Without CommandLine Parameters - Add CLI variations
• update: Suspicious Child Process Of Manage Engine ServiceDesk
• update: Suspicious Chromium Browser Instance Executed With Custom Extensions - Increase coverage
• update: Suspicious Copy From or To System Directory - Add new folder "WinSxS"
• update: Suspicious Electron Application Child Processes - Increase coverage
• update: Suspicious Scripting in a WMI Consumer - update logic
• update: Suspicious WebDav Client Execution Via Rundll32.EXE - New Title
• update: Sysinternals Tools AppX Versions Execution - Reduce level to low
• update: Sysmon Blocked Executable - Update logsource
• update: UAC Bypass via Event Viewer - Fix Logic
• update: UNC2452 Process Creation Patterns - Fix logic
• update: Usage Of Malicious POORTRY Signed Driver - Deprecated
• update: VMMap Unsigned Dbghelp.DLL Potential Sideloading
• update: Vulnerable AVAST Anti Rootkit Driver Load - Deprecated
• update: Vulnerable Dell BIOS Update Driver Load - Deprecated
• update: Vulnerable Driver Load By Name - Deprecated
• update: Vulnerable GIGABYTE Driver Load - Deprecated
• update: Vulnerable HW Driver Load - Deprecated
• update: Vulnerable Lenovo Driver Load - Deprecated
• update: WebDav Client Execution Via Rundll32.EXE
• update: Windows Update Error - Reduce level to informational and status to stable
• update: Winrar Compressing Dump Files - Increase Coverage
• update: Winrar Execution in Non-Standard Folder
• update: Wscript Execution from Non C Drive - Deprecated

Fixed Rules

• fix: Disabling Multi Factor Authentication - Fix typo in title, description and detection logic
• fix: Files With System Process Name In Unsuspected Locations - FP with wuaucltcore
• fix: Generic Password Dumper Activity on LSASS - FP with GoogleUpdate.exe
• fix: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation - FP with $WinREAgent folder
• fix: Potential Dead Drop Resolvers - FP with chrome/FF being installed in appdata
• fix: Rundll32 Execution Without DLL File - FP with another zzzzInvokeManagedCustomActionOutOfProc MSI installer
• fix: Search-ms and WebDAV Suspicious Indicators in URL - use explicit CIDR notation for loopback
• fix: Suspicious Elevated System Shell
• fix: Suspicious Elevated System Shell - False positives during updates presumably
• fix: Suspicious Elevated System Shell - False positives from CompatTelRunner
• fix: Suspicious Elevated System Shell - update FP for improved script that causes a FP
• fix: Suspicious Epmap Connection - FP with unknown process
• fix: Suspicious Epmap Connection - Fix false positives found with null and empty values
• fix: Suspicious Shim Database Installation via Sdbinst.EXE - FP with being started as a background service
• fix: Suspicious Sysmon as Execution Parent - Add null value edge case

Acknowledgement

Thanks to @alwashali, @cyb3rjy0t, @frack113, @gleeiamglo, @GtUGtHGtNDtEUaE, @kelnage, @kidrek, @MarkMorow, @Mladia, @nasbench, @Neo23x0, @phantinuss, @redteampanda-ng, @RobertSchull, @sanjay900, @securepeacock, @SILJAEUROPA, @ThureinOo, @tjgeorgen, @Uglybeard, @veramine, @wagga40, @WTFender for their contribution to this release

Which Sigma rule package should I use?

A detailed explanation can be found in the Releases.md file. If you are new to Sigma, we recommend starting with the "Core" ruleset.

Added

• Azure Sentinel backend
• OpenSearch Monitor backend
• Hawk backend
• Datadog backend
• FortiSIEM backend
• Lacework agent data support
• Athena SQL backend
• Regex support in SQLite backend
• Additional field mappings

Changed

• Log source refactoring

Fixed

• Mapping fixes
• Various bugfixes
• Disabled problematic optimization

Added

• Devo backend
• Fields selection added to SQL backend
• Linux/MacOS support for MDATP backend
• Output results as generic YAML/JSON
• Hash normalization option (hash_normalize) for Elasticsearch wildcard handling
• ALA AWS Cloudtrail and Azure mappings
• Logrhytm backend
• Splunk Data Models backend
• Further log sources used in open source Sigma ruleset
• CarbonBlack EDR backend
• Elastic EQL backend
• Additional conversion selection filters
• Filter negation
• Specifiy table in SQL backend
• Generic registry event log source
• Chronicle backend

Changed

• Elastic Watcher backend populates name attribute instead of title.
• One item list optimization.
• Updated Winlogbeat mapping
• Generic mapping for Powershell backend

Fixed

• Elastalert multi output file
• Fixed duplicate output in ElastAlert backend
• Escaping in Graylog backend
• es-rule ndjson output
• Various fixes of known bugs

Changed

• Added LGPL license to distribution

Added

• New parameters for Elastic backends
• Various field mappings
• FireEye Helix backend
• Generic log source image_load
• Kibana NDJSON backend
• uberAgent ESA backend
• SumoLogic CSE backend

Changed

• Updated mdatp backend fields
• QRadar query generation optimized
• MDATP: case insensitive search

Fixed

• Fixing Qradar implementation for create valid AQL queries
• Nested conditions
• Various minor bug fixes

Note regarding version 0.18.1: release created for technical reasons (issues with extended README and PyPI), no real changes done to 0.18.0.

Added

• C# backend
• STIX backend
• Options to xpack-watcher backend (action_throttle_period, mail_from acaw, mail_profile and other)
• More generic log sources
• Windows Defender log sources
• Generic DNS query log source
• AppLocker log source

Changed

• Improved backend and configuration descriptions
• Microsoft Defender ATP mapping updated
• Improved handling of wildcards in Elastic backends

Fixed

• Powershell backend: key name was incorrectly added into regular expression
• Grouping issue in Carbon Black backend
• Handling of default field mapping in case field is referenced multiple from a rule
• Code cleanup and various fixes
• Log source mappings in configurations
• Handling of conditional field mappings by Elastic backends

Added

• LOGIQ Backend (logiq)
• CarbonBlack backend (carbonblack) and field mappings
• Elasticsearch detection rule backend (es-rule)
• ee-outliers backend
• CrowdStrike backend (crowdstrike)
• Humio backend (humio)
• Aggregations in SQL backend
• SQLite backend (sqlite)
• AWS Cloudtrail ECS mappings
• Overrides
• Zeek configurations for various backends
• Case-insensitive matching for Elasticsearch
• ECS proxy mappings
• RuleName field mapping for Winlogbeat
• sigma2attack tool

Changed

• Improved usage of keyword fields for Elasticsearch-based backends
• Splunk XML backend rule titles from sigma rule instead of file name
• Moved backend option list to --help-backend
• Microsoft Defender ATP schema improvements

Fixed

• Splunx XML rule name is now set to rule title
• Backend list deduplicated
• Wrong escaping of wildcard at end of value when startswith modifier is used.
• Direct execution of tools on Windows systems by addition of script entry points

Added

• Proxy field names to ECS mapping (ecs-proxy) configuration
• False positives metadata to LimaCharlie backend
• Additional aggregation capabilitied for es-dsl backend.
• Azure log analytics rule backend (ala-rule)
• SQL backend
• Splunk Zeek sourcetype mapping config
• sigma2attack script
• Carbon Black backend and configuration
• ArcSight ESM backend
• Elasticsearch detection rule backend

Changed

• Kibana object id is now Sigma rule id if available. Else the old naming scheme is used.
• sigma2misp: replacement of deprecated method usage.
• Various configuration updates
• Extended ArcSight mapping

Fixed

• Fixed aggregation queries for Elastalert backend
• Fixed aggregation queries for es-dsl backend
• Backend and configuration lists are sorted.
• Escaping in ala backend