blue-team-tools

Author	SHA1	Message	Date
Florian Roth	b5ebc2033e	Update azure_privileged_account_creation.yml	2022-08-11 18:25:10 +02:00
Mark Morowczynski	10871396c4	Create azure_privileged_account_creation.yml Detects when a priv account is created	2022-08-11 07:08:15 -07:00
Mark Morowczynski	8a750770cf	Create azure_guest_invite_failure.yml Detection when a user without proper permissions attempts to invite a guest account.	2022-08-10 11:01:40 -07:00
Mark Morowczynski	d1c5153103	Create azure_tap_added.yml Detection for temporary access pass (TAP) added to an account.	2022-08-10 07:09:09 -07:00
Mark Morowczynski	5591d965ce	Create azure_pim_change_settings.yml Detect when changes are made to PIM settings	2022-08-09 12:42:29 -07:00
Mark Morowczynski	0c0afaa45c	Create azure_pim_activation_approve_deny.yml Detection for PIM elevation	2022-08-09 10:01:01 -07:00
Mark Morowczynski	cdbaa27b9e	Update azure_pim_alerts_disabled.yml fixing MITRE tag	2022-08-09 08:39:45 -07:00
Mark Morowczynski	c455b6bafc	Create azure_pim_alerts_disabled.yml Detect when PIM alert settings changed to disabled	2022-08-09 08:00:48 -07:00
Mark Morowczynski	13e5d53f8d	Create azure_priviledged_role_assignment_add.yml User added to privilege role assignment	2022-08-06 07:04:33 -07:00
Mark Morowczynski	a17a2468d5	Create azure_priviledged_role_assignment_bulk_change.yml Priv role assignment removal	2022-08-05 16:06:41 -07:00
Florian Roth	dd0903bc7a	Merge pull request #3330 from MarkMorow/markmorow Create azure_group_user_addition_ca_modification.yml	2022-08-05 23:32:31 +02:00
Mark Morowczynski	203d3509ca	Create azure_group_user_addition_ca_modification.yml Adding rule for user added to group with CA modification access	2022-08-05 13:46:51 -07:00
$frack113$ frack113	fd383faeec	Merge pull request #3326 from MarkMorow/markmorow Markmorow	2022-08-05 19:49:09 +02:00
$frack113$ frack113	6ecdaa8fbf	Merge pull request #3181 from Yochana-H/Yochana-H Azure_user_password_change.yml	2022-08-05 17:39:09 +02:00
Mark Morowczynski	7c1f1cd8ba	Merge branch 'SigmaHQ:master' into markmorow	2022-08-05 06:06:05 -07:00
Mark Morowczynski	72167b6f2f	Update azure_group_user_removal_ca_modification.yml Fix audit log syntax	2022-08-05 06:05:24 -07:00
Yochana-H	92471574a4	Update azure_user_password_change.yml Space removed	2022-08-05 13:21:12 +01:00
Yochana-H	dce0962d10	Update azure_user_password_change.yml changed level	2022-08-05 13:15:35 +01:00
Mark Morowczynski	d0b0421783	Create azure_group_user_removal_ca_modification.yml Monitoring for removal of members of group that have CA modification access	2022-08-04 16:45:59 -07:00
Yochana-H	8d94d315b2	Create azure_user_password_change.yml	2022-08-04 17:30:19 +01:00
Yochana-H	b44aff5317	Update azure_legacy_authentication_protocols.yml Changes made OR not AND	2022-08-04 17:19:24 +01:00
Bailey Bercik	231777eac8	Azure AD SecOps Guide	2022-07-29 19:27:31 +02:00
MikeDuddington	7072f62991	additional detections for Azure AD	2022-07-28 19:44:51 +02:00
MikeDuddington	c0cb0d739b	Create azure_guest_to_member.yml	2022-07-28 07:04:13 +02:00
Florian Roth	29ab0cda08	Update azure_aad_secops_ca_policy_updatedby_bad_actor.yml	2022-07-27 10:43:44 +02:00
Florian Roth	9f65836403	Update azure_aad_secops_ca_policy_removedby_bad_actor.yml	2022-07-27 10:43:27 +02:00
Florian Roth	57c87e16cf	fix: wrong fields	2022-07-27 10:34:11 +02:00
Florian Roth	88eca559b9	fix: wrong condition	2022-07-26 13:34:10 +02:00
Corissa Lea Koopmans	77d7f2ca31	Added CA Policy Updated SecOps Rule CA Policy Updated by Non Approved Actor	2022-07-19 15:50:26 -05:00
$frack113$ frack113	6af6bd27e0	Change CRLF to LF	2022-07-19 19:57:28 +02:00
Corissa Lea Koopmans	94c9233dad	Adding CA Policy Removed Sec Ops Rule Conditional Access Policy removed by non-approved actors	2022-07-19 11:23:30 -05:00
$frack113$ frack113	a3b1cdc158	Add azure_aad_secops_new_ca_policy_addedby_bad_actor	2022-07-19 17:19:37 +02:00
Mark Morowczynski	301d25a7ec	Delete azure_app_logout_url.yml	2022-07-17 12:15:14 -07:00
Nasreddine Bencherchali	62574e9b0c	Update Ref+Selection 3	2022-07-11 18:12:51 +01:00
$frack113$ frack113	792fde6466	Merge pull request #3206 from baileybercik/baileybercik Create azure_app_highly_privileged_permissions.yml	2022-07-10 07:59:01 +02:00
$frack113$ frack113	0f1c8183a1	fix references	2022-07-09 08:51:45 +02:00
$frack113$ frack113	b923260be4	Update azure_app_highly_privileged_permissions.yml	2022-07-09 08:42:54 +02:00
Nasreddine Bencherchali	d03f6df250	Reference Update [Batch 1]	2022-07-07 15:24:15 +01:00
$frack113$ frack113	c43b958ac1	Merge pull request #3168 from mepples21/miepping-dev Added device registration w/o MFA sigma rule	2022-07-04 13:29:58 +02:00
$frack113$ frack113	fa4af14545	Merge pull request #3174 from mepples21/miepping-dev6 Create azure_ad_users_added_to_device_admin_roles.yml	2022-07-04 13:28:57 +02:00
$frack113$ frack113	f5668cd223	fix id	2022-07-01 21:04:56 +02:00
$frack113$ frack113	8109af3ea3	Merge pull request #3170 from mepples21/miepping-dev3 Create azure_ad_device_registration_policy_changes.yml	2022-07-01 15:49:02 +02:00
$frack113$ frack113	2aaaeed7c3	Update azure_legacy_authentication_protocols.yml	2022-07-01 14:32:09 +02:00
$frack113$ frack113	d12293d3c1	Update azure_ad_device_registration_or_join_without_mfa.yml	2022-07-01 14:25:20 +02:00
$frack113$ frack113	d4c9e5640f	Update azure_ad_sign_ins_from_noncompliant_devices.yml	2022-07-01 14:24:38 +02:00
$frack113$ frack113	fa1eb1669c	Update azure_ad_users_added_to_device_admin_roles.yml	2022-07-01 14:18:26 +02:00
$frack113$ frack113	a2c10bcade	Update azure_ad_device_registration_policy_changes.yml	2022-07-01 14:17:21 +02:00
Bailey Bercik	f7c8ded6a7	Create azure_app_highly_privileged_permissions.yml Sigma rule for apps with highly privileged permissions in Azure	2022-06-30 14:34:27 -07:00
Yochana-H	558a80ac4b	Create azure_legacy_authentication_protocols.yml	2022-06-30 11:41:45 +01:00
Florian Roth	e516fd74cb	Merge pull request #3172 from mepples21/miepping-dev5 Create azure_ad_bitlocker_key_retrieval.yml	2022-06-29 19:40:36 +02:00

1 2 3 4 5 ...

681 Commits