security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'SigmaHQ:master' into feature/uberagent-compat-6.2

Browse Source
This commit is contained in:
Sven Scharmentke
2021-11-17 16:30:05 +01:00
committed by GitHub
parent 075419da38 a96a8fbf43
commit c09b1861ec
263 changed files with 1199 additions and 342 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/sigma-test.yml
+1 -1
View File
@@ -24,7 +24,7 @@ jobs:
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pipenv
pip install pipenv==2021.5.29
pipenv lock
pipenv install --dev --deploy
- name: Test Sigma Tools and Rules
rules/windows/file_event/file_event_executable_and_script_creation_by_office_using_file_ext.yml → rules-unsupported/file_event_executable_and_script_creation_by_office_using_file_ext.yml
+14 -13
View File
@@ -14,7 +14,7 @@ tags:
status: experimental
date: 2021/08/23
logsource:
product: Windows
product: windows
category: file_event
detection:
#useful_information: Please add more file extensions and magic bytes to the logic of your choice.
@@ -23,22 +23,23 @@ detection:
- 'winword.exe'
- 'excel.exe'
- 'powerpnt.exe'
- 'outlook.exe'
selection2:
FileName|endswith:
- ".exe"
- ".dll"
- ".ocx"
- ".com"
- ".ps1"
- ".vbs"
- ".sys"
- ".bat"
- ".scr"
- ".proj"
- ".exe"
- ".dll"
- ".ocx"
- ".com"
- ".ps1"
- ".vbs"
- ".sys"
- ".bat"
- ".scr"
- ".proj"
selection3:
FileMagicBytes|startswith:
- "4D5A"
- "4D5A"
condition: selection1 and (selection2 or selection3)
falsepositives:
- Unknown
- Unknown
level: high
rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executescript.yml → rules-unsupported/lnx_auditd_omigod_scx_runasprovider_executescript.yml
+2 -1
View File
@@ -3,6 +3,7 @@ id: 865c10a6-9541-4d11-9f45-9a3484e23b0a
description: Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
status: experimental
date: 2021/09/18
modified: 2021/11/11
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
tags:
- attack.privilege_escalation
@@ -21,7 +22,7 @@ logsource:
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'execve'
syscall: 'execve'
uid: '0'
cwd: '/var/opt/microsoft/scx/tmp'
cmdline|contains: /etc/opt/microsoft/scx/conf/tmpdir/scx
rules/windows/file_event/sysmon_non_priv_program_files_move.yml → rules-unsupported/sysmon_non_priv_program_files_move.yml
View File
rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml → rules-unsupported/win_suspicious_werfault_connection_outbound.yml
View File
rules/network/zeek/zeek_http_exfiltration_compressed_files.yml → rules-unsupported/zeek/zeek_http_exfiltration_compressed_files.yml
View File
rules/cloud/aws/aws_attached_malicious_lambda_layer.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/23
references:
- https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_cloudtrail_disable_logging.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/09
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_config_disable_recording.yml
+1
View File
@@ -6,6 +6,7 @@ author: vitaliy0x1
date: 2020/01/21
modified: 2021/08/09
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_ec2_disable_encryption.yml
+1
View File
@@ -12,6 +12,7 @@ tags:
- attack.t1486
- attack.t1565
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_ec2_download_userdata.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_ec2_startup_script_change.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_ec2_vm_export_failure.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/20
references:
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/15
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/15
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/16
references:
- https://any-api.com/amazonaws_com/eks/docs/API_Description
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_elasticache_security_group_created.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_enum_listing.yml
+1
View File
@@ -6,6 +6,7 @@ author: toffeebr33k
date: 2020/11/21
modified: 2021/08/09
logsource:
product: aws
service: cloudtrail
detection:
selection_eventname:
rules/cloud/aws/aws_guardduty_disruption.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_iam_backdoor_users_keys.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_lambda_function_created_or_invoked.yml
+1
View File
@@ -8,6 +8,7 @@ update: 2021/10/13
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
logsource:
product: aws
service: cloudtrail
detection:
selection1:
rules/cloud/aws/aws_macic_evasion.yml
+1
View File
@@ -10,6 +10,7 @@ tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/passed_role_to_glue_development_endpoint.yml → rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml
+1
View File
@@ -9,6 +9,7 @@ references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
logsource:
product: aws
service: cloudtrail
detection:
selection1:
rules/cloud/aws/aws_rds_change_master_password.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_rds_public_db_restore.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_root_account_usage.yml
+1
View File
@@ -8,6 +8,7 @@ modified: 2021/08/09
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
logsource:
product: aws
service: cloudtrail
detection:
selection_usertype:
rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml
+1
View File
@@ -9,6 +9,7 @@ references:
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/07/22
references:
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_s3_data_management_tampering.yml
+1
View File
@@ -14,6 +14,7 @@ references:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_securityhub_finding_evasion.yml
+1
View File
@@ -10,6 +10,7 @@ tags:
- attack.defense_evasion
- attack.t1562
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_snapshot_backup_exfiltration.yml
+1
View File
@@ -9,6 +9,7 @@ references:
- https://www.justice.gov/file/1080281/download
- https://attack.mitre.org/techniques/T1537/
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/aws/aws_sts_assumerole_misuse.yml
+1
View File
@@ -9,6 +9,7 @@ references:
- https://github.com/elastic/detection-rules/pull/1214
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://github.com/elastic/detection-rules/pull/1213
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
logsource:
product: aws
service: cloudtrail
detection:
selection:
rules/cloud/aws/aws_suspicious_saml_activity.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
logsource:
product: aws
service: cloudtrail
detection:
selection1:
rules/cloud/aws/aws_update_login_profile.yml
+1
View File
@@ -9,6 +9,7 @@ date: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
logsource:
product: aws
service: cloudtrail
detection:
selection_source:
rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml
+1
View File
@@ -13,6 +13,7 @@ tags:
references:
- https://o365blog.com/post/hybridhealthagent/
logsource:
product: azure
service: AzureActivity
detection:
selection:
rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml
+1
View File
@@ -13,6 +13,7 @@ tags:
references:
- https://o365blog.com/post/hybridhealthagent/
logsource:
product: azure
service: AzureActivity
detection:
selection:
rules/cloud/azure/azure_account_lockout.yml
+1
View File
@@ -7,6 +7,7 @@ description: Identifies user account which has been locked because the user trie
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
product: azure
service: azure.signinlogs
detection:
selection:
rules/cloud/azure/azure_ad_user_added_to_admin_role.yml
+1
View File
@@ -7,6 +7,7 @@ references:
- https://attack.mitre.org/techniques/T1098/003/
- https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_app_credential_modification.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/02
references:
- https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_application_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_change_to_authentication_method.yml
+1
View File
@@ -7,6 +7,7 @@ description: Change to authentication method could be an indicated of an attacke
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
product: azure
service: azure.auditlogs
detection:
selection:
rules/cloud/azure/azure_container_registry_created_or_deleted.yml
+1
View File
@@ -11,6 +11,7 @@ references:
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_creating_number_of_resources_detection.yml
+1
View File
@@ -7,6 +7,7 @@ description: Number of VM creations or deployment activities occur in Azure via
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
logsource:
product: azure
service: AzureActivity
detection:
keywords:
rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_federation_modified.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/06
references:
- https://attack.mitre.org/techniques/T1078
logsource:
product: azure
service: azure.signinlogs
detection:
selection:
rules/cloud/azure/azure_firewall_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_granting_permission_detection.yml
+1
View File
@@ -7,6 +7,7 @@ description: Identifies IPs from which users grant access to other users on azur
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
logsource:
product: azure
service: AzureActivity
detection:
keywords:
rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_keyvault_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml
+1
View File
@@ -11,6 +11,7 @@ references:
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_kubernetes_events_deleted.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
logsource:
product: azure
service: azure.activitylogs
detection:
selection_operation_name:
rules/cloud/azure/azure_kubernetes_network_policy_change.yml
+1
View File
@@ -11,6 +11,7 @@ references:
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_kubernetes_pods_deleted.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
logsource:
product: azure
service: azure.activitylogs
detection:
selection_operation_name:
rules/cloud/azure/azure_kubernetes_role_access.yml
+1
View File
@@ -11,6 +11,7 @@ references:
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
+1
View File
@@ -11,6 +11,7 @@ references:
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml
+1
View File
@@ -11,6 +11,7 @@ references:
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml
+1
View File
@@ -11,6 +11,7 @@ references:
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_login_to_disabled_account.yml
+1
View File
@@ -7,6 +7,7 @@ description: Detect failed attempts to sign in to disabled accounts.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
product: azure
service: azure.signinlogs
detection:
selection:
rules/cloud/azure/azure_mfa_interrupted.yml
+1
View File
@@ -7,6 +7,7 @@ description: Identifies user login with multifactor authentication failures, whi
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
product: azure
service: azure.signinlogs
detection:
selection:
rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/02
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_network_security_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_new_cloudshell_created.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/21
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_rare_operations.yml
+1
View File
@@ -7,6 +7,7 @@ description: Identifies IPs from which users grant access to other users on azur
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
logsource:
product: azure
service: AzureActivity
detection:
keywords:
rules/cloud/azure/azure_service_principal_created.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/02
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_service_principal_removed.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/09/03
references:
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_suppression_rule_created.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_user_login_blocked_by_conditional_access.yml
+1
View File
@@ -7,6 +7,7 @@ description: Detect access has been blocked by Conditional Access policies. The
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
logsource:
product: azure
service: azure.signinlogs
detection:
selection:
rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
product: azure
service: azure.activitylogs
detection:
selection:
rules/cloud/gcp/gcp_bucket_enumeration.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/14
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/14
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/15
references:
- https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/15
references:
- https://cloud.google.com/dns/docs/reference/v1/managedZones
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_kubernetes_rolebinding.yml
+1
View File
@@ -11,6 +11,7 @@ references:
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/09
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/14
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_service_account_modified.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/14
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_sql_database_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/10/15
references:
- https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/users/update
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml
+1
View File
@@ -7,6 +7,7 @@ date: 2021/08/16
references:
- https://any-api.com/googleapis_com/compute/docs/vpnTunnels
logsource:
product: gcp
service: gcp.audit
detection:
selection:
rules/cloud/gworkspace/gworkspace_application_removed.yml
+1
View File
@@ -9,6 +9,7 @@ references:
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
logsource:
product: google_workspace
service: google_workspace.admin
detection:
selection:
rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
logsource:
product: google_workspace
service: google_workspace.admin
detection:
selection:
rules/cloud/gworkspace/gworkspace_mfa_disabled.yml
+1
View File
@@ -10,6 +10,7 @@ references:
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
logsource:
product: google_workspace
service: google_workspace.admin
detection:
selection:
rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
logsource:
product: google_workspace
service: google_workspace.admin
detection:
selection:
rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
logsource:
product: google_workspace
service: google_workspace.admin
detection:
selection:
rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml
+1
View File
@@ -8,6 +8,7 @@ references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
logsource:
product: google_workspace
service: google_workspace.admin
detection:
selection:
rules/cloud/m365/microsoft365_activity_by_terminated_user.yml
+1 -1
View File
@@ -9,7 +9,7 @@ references:
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
product: m365
detection:
selection:
eventSource: SecurityComplianceCenter

Some files were not shown because too many files have changed in this diff Show More