security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,299 Commits 1 Branch 57 Tags
3ffe83bd70635ffaf81fa27bdf51f2f72e18bcbb
Commit Graph

603 Commits

Author SHA1 Message Date
Mark Morowczynski e8c70a05d1 Create azure_app_owner_added.yml 
Added checking for new application owner.
 2022-06-02 13:37:00 -07:00
Mark Morowczynski fd5eb53e1d Create azure_app_appid_uri_changes.yml 
Adding AppID URI changes check
 2022-06-02 09:46:23 -07:00
Mark Morowczynski 55666836e6 Create azure_app_uri_modifications.yml 
Adding Application URI changes
 2022-06-02 06:44:35 -07:00
phantinuss 3412f29250 Update azure_app_device_code_authentication.yml 2022-06-02 13:58:37 +02:00
phantinuss 5be01c8bb4 Update azure_app_device_code_authentication.yml 2022-06-02 13:50:49 +02:00
frack113 2b599c07c6 Update and rename azure_app_device_code_authentication to azure_app_device_code_authentication.yml 2022-06-02 06:20:26 +02:00
Mark Morowczynski e148de65bb Merge branch 'SigmaHQ:master' into markmorow 2022-06-01 10:59:56 -07:00
Mark Morowczynski e09221d9f7 Create azure_app_device_code_authentication 
Adding Device Code flow authentication check
 2022-06-01 10:59:03 -07:00
frack113 dec8b93296 Merge pull request #3075 from MarkMorow/markmorow 
Markmorow
 2022-06-01 19:06:27 +02:00
Mark Morowczynski 4114ceef65 Update azure_app_ropc_authentication.yml 
Update Properities.message since it's one element.
 2022-06-01 09:35:45 -07:00
Mark Morowczynski 375eeab4fa Update azure_app_ropc_authentication.yml 2022-06-01 08:42:44 -07:00
Mark Morowczynski fe64f81674 Create azure_app_ropc_authentication.yml 
Adding ROPC Auth check
 2022-06-01 08:41:43 -07:00
frack113 5fd61875dc fix title case 2022-06-01 17:37:17 +02:00
frack113 6b0584ddd2 Update azure_conditional_access_failure.yml 2022-06-01 17:27:00 +02:00
Yochana-H 21da958f98 Delete azure_conditional_access_failure.txt 2022-06-01 12:58:34 +01:00
Yochana-H b912a8a7c2 Merge branch 'Yochana-H' of https://github.com/Yochana-H/sigma into Yochana-H 2022-06-01 12:04:28 +01:00
Yochana-H 8d8e74d44d Create azure_conditional_access_failure.txt 
Sign-In failures due to Conditional Access requirements not being met.
 2022-06-01 12:04:24 +01:00
Yochana-H eec0dfe821 Create azure_conditional_access_failure.txt 
Sign-In failures due to Conditional Access requirements not being met.
 2022-06-01 10:22:43 +01:00
frack113 95a0263799 Rename azure_aad_secops _signin_failure_bad_password_threshold.yml to azure_aad_secops_signin_failure_bad_password_threshold.yml 2022-05-31 20:43:32 +02:00
frack113 cafc12e334 Update azure_aad_secops _signin_failure_bad_password_threshold.yml 2022-05-31 20:36:37 +02:00
Corissa Lea Koopmans 9f115af449 Update azure_aad_secops _signin_failure_bad_password_threshold.yml 
updated title to remove capital letters and replaced a tag with the proper MITRE tactic check.
 2022-05-31 11:25:03 -05:00
Corissa Lea Koopmans b5a47ef967 Create azure_aad_secops _signin_failure_bad_password_threshold.yml 2022-05-30 05:35:52 -05:00
frack113 32e6a82cf2 Update azure_app_credential_added.yml 2022-05-27 06:56:07 +02:00
Mark Morowczynski 5229c05cab Update azure_app_credential_added.yml 
Changes based on Sigma template rules
 2022-05-26 12:36:38 -07:00
Mark Morowczynski 97efeada5f Update .gitignore 2022-05-26 09:39:00 -07:00
Mark Morowczynski 34d06708e5 Create azure_app_credential_added.yml 
App Credential Add rule
 2022-05-25 19:13:26 -07:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss 112b715dd6 chore: test rules: reactivate single value list check 2022-05-10 17:13:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
phantinuss 7cbfc7f16a fix: remove . from title 2022-04-06 17:04:10 +02:00
Florian Roth 15c6fad973 Merge pull request #2850 from hieuttmmo/master 
Rule to detect when any MFA Denied recorded by Azure SigninLogs
 2022-03-25 11:35:49 +01:00
Florian Roth 0b97d37faf Update azure_mfa_denies.yml 2022-03-24 21:26:13 +01:00
hieuttmmo 1fe45bd593 Merge branch 'SigmaHQ:master' into master 2022-03-24 16:53:41 +04:00
Tran Trung Hieu 713bc24750 Add new MFA Denied rule 2022-03-24 16:53:01 +04:00
Florian Roth 70acb06c16 fix: old azure notation 2022-03-22 18:15:33 +01:00
Florian Roth e91fc4486e refactor: first bigger log source refactoring 
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
 2022-03-22 17:58:29 +01:00
Florian Roth e477264aa0 fix: azure log source fix 2022-03-21 11:20:07 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate 2022-03-16 14:35:19 +01:00
phantinuss b23eee6ebf fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00
Florian Roth a2031b7898 fix: condition with 1 of them 2022-03-05 12:39:04 +01:00
frack113 5f99b405e8 Merge pull request #2664 from ionsor/patch-2 
Create microsoft365_new_federated_domain_added.yml
 2022-02-11 06:40:44 +01:00
frack113 3ea09e9ec6 Update azure_mfa_disabled.yml 2022-02-10 06:40:03 +01:00
frack113 69413c26bb Update microsoft365_new_federated_domain_added.yml 2022-02-10 06:39:02 +01:00
Feathers 7cb55b1704 Create microsoft365_new_federated_domain_added.yml 2022-02-08 10:31:47 +01:00
Feathers c4ed22aa8f Create azure_mfa_disabled.yml 2022-02-08 10:19:09 +01:00
frack113 4631d0c482 remove invalid tag 2022-01-19 18:23:30 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
phantinuss 07a0a37273 feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:47:39 +01:00
Florian Roth 330fcf485c Merge branch 'master' into promote_status 2021-11-27 17:15:56 +01:00