refactor: first bigger log source refactoring

see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
2022-03-22 17:58:29 +01:00
parent a5281c0eaf
commit e91fc4486e
78 changed files with 103 additions and 106 deletions
@@ -1,7 +1,7 @@
 title: Azure Active Directory Hybrid Health AD FS New Server
 id: 288a39fc-4914-4831-9ada-270e9dc12cb4
 description: |
-  This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
+  This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
  A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
  This can be done programmatically via HTTP requests to Azure.
 status: experimental
@@ -14,7 +14,7 @@ references:
  - https://o365blog.com/post/hybridhealthagent/
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  selection:
    CategoryValue: 'Administrative'
@@ -1,7 +1,7 @@
 title: Azure Active Directory Hybrid Health AD FS Service Delete
 id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
 description: |
-  This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
+  This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
  A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
  The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
 status: experimental
@@ -14,7 +14,7 @@ references:
  - https://o365blog.com/post/hybridhealthagent/
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  selection:
    CategoryValue: 'Administrative'
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
  selection:
    ResultType: 50053
@@ -8,7 +8,7 @@ references:
    - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 'Update application - Certificates and secrets management'
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.auditlogs
+  service: auditlogs
 detection:
  selection:
    LoggedByService: 'Authentication Methods'
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -1,15 +1,15 @@
 title: Number Of Resource Creation Or Deployment Activities
 id: d2d901db-7a75-45a1-bc39-0cbf00812192
 status: test
-description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
+description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  keywords:
    - Microsoft.Compute/virtualMachines/write
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message|startswith: MICROSOFT.NETWORK/DNSZONES
@@ -8,7 +8,7 @@ references:
    - https://attack.mitre.org/techniques/T1078
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
    selection:
        properties.message: Set federation settings on domain
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -4,12 +4,12 @@ status: test
 description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  keywords:
    - Microsoft.Authorization/roleAssignments/write
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection1:
          properties.message|startswith:
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -11,7 +11,7 @@ references:
    - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
 logsource:
    product: azure
-    service: azure.activitylogs
+    service: activitylogs
 detection:
    selection1:
          properties.message|startswith:
@@ -9,7 +9,7 @@ references:
    - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection_operation_name:
          properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -9,7 +9,7 @@ references:
    - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection_operation_name:
          properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -12,7 +12,7 @@ references:
    - https://attack.mitre.org/matrices/enterprise/cloud/
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
  selection:
    ResultType: 50057
@@ -9,7 +9,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
 logsource:
    product: azure
-    service: azure.activitylogs
+    service: activitylogs
 detection:
    selection:
        eventSource: AzureActiveDirectory
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
  selection:
    ResultType: 50074
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -4,12 +4,12 @@ status: test
 description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
 author: sawwinnnaung
 references:
-  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
+  - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml
 date: 2020/05/07
 modified: 2021/11/27
 logsource:
  product: azure
-  service: AzureActivity
+  service: azureactivity
 detection:
  keywords:
    - Microsoft.DocumentDB/databaseAccounts/listKeys/action
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 'Add service principal'
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: Remove service principal
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection1:
        properties.message: 
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
 logsource:
  product: azure
-  service: azure.auditlogs
+  service: auditlogs
 detection:
  selection:
    Category: 'Administrative'
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message: 
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
    selection1:
          ResultType: 50097
@@ -8,7 +8,7 @@ references:
  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
 logsource:
  product: azure
-  service: azure.signinlogs
+  service: signinlogs
 detection:
  selection:
    ResultType: 53003
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message|startswith:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 logsource:
  product: azure
-  service: azure.activitylogs
+  service: activitylogs
 detection:
    selection:
        properties.message:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatDetection
+    service: threat_detection
    product: m365
 detection:
    selection:
@@ -9,7 +9,7 @@ references:
 date: 2020/07/06
 modified: 2021/11/27
 logsource:
-  category: ThreatManagement
+  service: threat_management
  product: m365
 detection:
  selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -11,7 +11,7 @@ references:
    - https://www.sygnia.co/golden-saml-advisory
    - https://o365blog.com/post/aadbackdoor/
 logsource:
-    category: Exchange
+    service: exchange
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -8,7 +8,7 @@ references:
    - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
    - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
 logsource:
-    category: ThreatManagement
+    service: threat_management
    product: m365
 detection:
    selection:
@@ -53,7 +53,7 @@ references:
    # - PCI DSS 3.2 7.2
    # - PCI DSS 3.2 7.3
 logsource:
-    product: netflow
+    service: netflow
 detection:
    selection:
        destination.port:
@@ -8,7 +8,7 @@ references:
 date: 2017/02/28
 modified: 2021/11/27
 logsource:
-  product: apache
+  service: apache
 detection:
  keywords:
    - 'exit signal Segmentation Fault'
@@ -8,7 +8,7 @@ references:
 date: 2019/01/22
 modified: 2021/11/27
 logsource:
-  product: apache
+  service: apache
 detection:
  keywords:
    - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
@@ -15,7 +15,6 @@ tags:
    - attack.persistence
    - attack.t1505.003
 logsource:
-    product: zoho_manageengine
    category: webserver
    definition: 'Must be collect log from \ManageEngine\ADSelfService Plus\logs'
 detection:
@@ -8,7 +8,7 @@ references:
    - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps
    - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
 logsource:
-    product: apache
+    service: apache
 detection:
    keywords:
        - 'exited on signal 6 (core dumped)'