security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
12,069 Commits 1 Branch 57 Tags
751fbd7a2e4f8375d6ec517ceeb4e08f62016e31
Commit Graph

656 Commits

Author SHA1 Message Date
Bailey Bercik 231777eac8 Azure AD SecOps Guide 2022-07-29 19:27:31 +02:00
MikeDuddington 7072f62991 additional detections for Azure AD 2022-07-28 19:44:51 +02:00
MikeDuddington c0cb0d739b Create azure_guest_to_member.yml 2022-07-28 07:04:13 +02:00
Florian Roth 29ab0cda08 Update azure_aad_secops_ca_policy_updatedby_bad_actor.yml 2022-07-27 10:43:44 +02:00
Florian Roth 9f65836403 Update azure_aad_secops_ca_policy_removedby_bad_actor.yml 2022-07-27 10:43:27 +02:00
Florian Roth 57c87e16cf fix: wrong fields 2022-07-27 10:34:11 +02:00
Florian Roth 88eca559b9 fix: wrong condition 2022-07-26 13:34:10 +02:00
Corissa Lea Koopmans 77d7f2ca31 Added CA Policy Updated SecOps Rule 
CA Policy Updated by Non Approved Actor
 2022-07-19 15:50:26 -05:00
frack113 6af6bd27e0 Change CRLF to LF 2022-07-19 19:57:28 +02:00
Corissa Lea Koopmans 94c9233dad Adding CA Policy Removed Sec Ops Rule 
Conditional Access Policy removed by non-approved actors
 2022-07-19 11:23:30 -05:00
frack113 a3b1cdc158 Add azure_aad_secops_new_ca_policy_addedby_bad_actor 2022-07-19 17:19:37 +02:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
frack113 792fde6466 Merge pull request #3206 from baileybercik/baileybercik 
Create azure_app_highly_privileged_permissions.yml
 2022-07-10 07:59:01 +02:00
frack113 0f1c8183a1 fix references 2022-07-09 08:51:45 +02:00
frack113 b923260be4 Update azure_app_highly_privileged_permissions.yml 2022-07-09 08:42:54 +02:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
frack113 c43b958ac1 Merge pull request #3168 from mepples21/miepping-dev 
Added device registration w/o MFA sigma rule
 2022-07-04 13:29:58 +02:00
frack113 fa4af14545 Merge pull request #3174 from mepples21/miepping-dev6 
Create azure_ad_users_added_to_device_admin_roles.yml
 2022-07-04 13:28:57 +02:00
frack113 f5668cd223 fix id 2022-07-01 21:04:56 +02:00
frack113 8109af3ea3 Merge pull request #3170 from mepples21/miepping-dev3 
Create azure_ad_device_registration_policy_changes.yml
 2022-07-01 15:49:02 +02:00
frack113 d12293d3c1 Update azure_ad_device_registration_or_join_without_mfa.yml 2022-07-01 14:25:20 +02:00
frack113 d4c9e5640f Update azure_ad_sign_ins_from_noncompliant_devices.yml 2022-07-01 14:24:38 +02:00
frack113 fa1eb1669c Update azure_ad_users_added_to_device_admin_roles.yml 2022-07-01 14:18:26 +02:00
frack113 a2c10bcade Update azure_ad_device_registration_policy_changes.yml 2022-07-01 14:17:21 +02:00
Bailey Bercik f7c8ded6a7 Create azure_app_highly_privileged_permissions.yml 
Sigma rule for apps with highly privileged permissions in Azure
 2022-06-30 14:34:27 -07:00
Florian Roth e516fd74cb Merge pull request #3172 from mepples21/miepping-dev5 
Create azure_ad_bitlocker_key_retrieval.yml
 2022-06-29 19:40:36 +02:00
Florian Roth 218e7f1491 Update azure_ad_device_registration_policy_changes.yml 2022-06-29 19:39:34 +02:00
Florian Roth c90b8fa7f3 Update azure_ad_users_added_to_device_admin_roles.yml 2022-06-29 19:38:37 +02:00
Florian Roth 4fee43361c Merge pull request #3171 from mepples21/miepping-dev4 
Create azure_ad_sign_ins_from_unknown_devices.yml
 2022-06-29 19:37:13 +02:00
frack113 ef47e7c8f2 Update azure_ad_bitlocker_key_retrieval.yml 2022-06-29 06:34:11 +02:00
frack113 0315f31cb0 Update azure_ad_sign_ins_from_unknown_devices.yml 2022-06-29 06:33:24 +02:00
Michael Epping c9e42d3dd2 Create azure_ad_users_added_to_device_admin_roles.yml 2022-06-28 15:01:10 -07:00
Michael Epping 7aadcff92c Create azure_ad_bitlocker_key_retrieval.yml 2022-06-28 14:23:36 -07:00
Michael Epping e446a23818 Create azure_ad_sign_ins_from_unknown_devices.yml 2022-06-28 14:12:30 -07:00
Michael Epping 7c446f0d37 Create azure_ad_device_registration_policy_changes.yml 
Rule from Azure AD SecOps guide
 2022-06-28 13:11:45 -07:00
Michael Epping 495a4fb1f0 Create azure_ad_device_registration_policy_changes.ym; 2022-06-28 13:10:38 -07:00
Michael Epping 024514886f Update azure_ad_sign_ins_from_noncompliant_devices.yml 2022-06-28 11:55:54 -07:00
Michael Epping 749dd21a7b Create azure_ad_sign_ins_from_noncompliant_devices.yml 2022-06-28 11:55:41 -07:00
Michael Epping ff178408c8 Added device registration w/o MFA sigma rule 2022-06-28 11:12:12 -07:00
frack113 272c29caea Merge pull request #3138 from Yochana-H/Yochana-H 
create azure_blocked_account_attempt.yml
 2022-06-19 08:36:30 +02:00
Florian Roth 37ed5f4bc5 Update azure_blocked_account_attempt.yml 2022-06-18 18:22:43 +02:00
frack113 e3ea9f7b42 Update azure_blocked_account_attempt.yml 2022-06-17 20:43:07 +02:00
Yochana-H d659088d4b Merge branch 'Yochana-H' of https://github.com/Yochana-H/sigma into Yochana-H 2022-06-17 15:44:51 +01:00
Yochana-H 6dc3c1d4dd Create azure_blocked_account_attempt.yml 2022-06-17 15:44:40 +01:00
frack113 63400139bd Merge pull request #3110 from FlorianBracq/patch-1 
Updating azure federation modified rule
 2022-06-08 22:19:17 +02:00
FlorianBracq f5211710d6 Update modification date 2022-06-08 18:54:03 +02:00
Darin Smith d29eb1e48c Change to all selection elements rather than a filter and a selection 2022-06-08 09:13:48 -07:00
FlorianBracq 9647183716 Updating azure federation modified 
* Set logsource service to auditlogs instead of signinlogs
* Add reference to Microsoft documentation
* Set field name in selection to ActivityDisplayName instead of properties.message
 2022-06-08 17:17:26 +02:00
Darin Smith 04bcbcdb44 Minor change, filter param should not be a list 2022-06-08 06:58:19 -07:00
Darin Smith 61df0b9218 Update with suggested changes 2022-06-08 06:47:30 -07:00