43277f26fc
Merge PR #4461 from @WTFender - Create AWS rule aws_sso_idp_change.yml
...
new: AWS Identity Center Identity Provider Change
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-09-29 16:37:01 +02:00
eb2f82cbc3
Merge PR #4450 from @sanjay900 - Fix Typo
...
fix: Disabling Multi Factor Authentication - Fix typo in title, description and detection logic
2023-09-19 01:18:50 +02:00
229b70f68a
Merge PR #4401 from @cyb3rjy0t - Add New O365 Related Rules
...
new: Disabling Multi Factor Authenication
new: New Federated Domain Added
update: New Federated Domain Added - Exchange
---------
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-09-18 19:30:16 +02:00
f28b89c084
Merge PR #4445 from @MarkMorow - New Azure PIM Rules
...
new: Stale Accounts In A Privileged Role
new: Invalid PIM License
new: Roles Assigned Outside PIM
new: Roles Activated Too Frequently
new: Roles Activation Doesn't Require MFA
new: Roles Are Not Being Used
new: Too Many Global Admins
---------
Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-09-14 22:02:30 +02:00
e5fabcbd2f
Merge PR #4429 from @MarkMorow - Add New Azure Identity Protection Rules
...
new: Malicious IP Address Sign-In Failure Rate
new: Malicious IP Address Sign-In Suspicious
new: Primary Refresh Token Access Attempt
new: Azure AD Threat Intelligence
---------
Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-09-11 22:53:52 +02:00
a6c20d8b71
Merge PR #4428 from @kelnage - Add Okta Cross-Tenant Impersonation Rules
...
new: Okta Identity Provider Created
new: Okta New Admin Console Behaviours
new: Okta Suspicious Activity Reported by End-user
new: Okta User Session Start Via An Anonymising Proxy Service
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-09-11 22:52:18 +02:00
efe2c9bbcb
Merge PR #4423 from @MarkMorow - Add Azure AD Identity Protection Rules
...
new: Anomalous User Activity
new: Activity From Anonymous IP Address
new: Atypical Travel
new: Impossible Travel
new: Suspicious Inbox Forwarding Identity Protection
new: Suspicious Inbox Manipulation Rules
new: Azure AD Account Credential Leaked
new: Sign-In From Malware Infected IP
new: New Country
new: Password Spray Activity
new: Suspicious Browser Activity
new: SAML Token Issuer Anomaly
new: Unfamiliar Sign-In Properties
---------
Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-09-06 10:56:13 +02:00
3ce631af50
Merge pull request #4294 from @danielbohannon - Permiso p0-LUCR-1 (aka GUI-vil)
...
new: AWS IAM S3Browser Templated S3 Bucket Policy Creation
---------
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-08-24 12:21:34 +02:00
832c15a4c9
Merge pull request #4384 from @gleeiamglo
...
new: Anonymous IP Address
---------
Co-authored-by: gllee <gllee@microsoft.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2023-08-23 14:45:56 +02:00
450b619c13
Change field name in detection
2023-08-10 06:21:38 +02:00
67d0d2afff
chore: change service name to lowercase
2023-08-08 15:41:08 +02:00
a66b38d3df
Fix to pass the tests
2023-08-08 06:47:08 +02:00
fa780ec7b9
Update azure_identity_protectection_anomalous_token.yml
...
Deleting extra space
2023-08-07 18:36:25 -07:00
ef2d8b4c99
Create azure_identity_protectection_anomalous_token.yml
...
Adding the first of several identity protection alerts
2023-08-07 18:33:35 -07:00
2c3d19f335
Merge pull request #4293 from danielbohannon/patch-1
2023-07-17 12:19:05 +02:00
e59f9d6f61
chore: add missing quotes
2023-06-23 10:17:09 +02:00
1562630a17
chore: update structure
2023-06-23 10:16:53 +02:00
fac3e34f92
fix: broken selection
2023-06-23 10:12:23 +02:00
135855e9a7
chore: update structure
2023-06-23 10:10:13 +02:00
7dbfa195bd
Permiso p0-LUCR-1 (aka GUI-vil)
...
Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
2023-06-06 17:18:06 -04:00
0348c1adbb
Permiso p0-LUCR-1 (aka GUI-vil)
...
Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
2023-06-06 17:08:14 -04:00
b72e7fc6eb
Update rules/cloud/okta/okta_fastpass_phishing_detection.yml
...
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2023-05-10 01:18:00 -05:00
3e9cfc3e7c
Update okta_fastpass_phishing_detection.yml
2023-05-08 11:26:21 -05:00
8dc803df95
Update okta_fastpass_phishing_detection.yml
2023-05-08 10:35:19 -05:00
df04652768
Update okta_fastpass_phishing_detection.yml
2023-05-07 20:16:54 -05:00
616bf2a819
Update okta_fastpass_phishing_detection.yml
2023-05-07 20:06:23 -05:00
ce62346e4f
Create okta_fastpass_phishing_detection.yml
2023-05-07 19:43:39 -05:00
7ce4a9b7ec
fix: add missing modified
2023-04-28 11:12:30 +02:00
961aebb8ef
corrected eventSource on aws_enum_buckets.yml file
2023-04-27 22:53:34 -07:00
91bc015216
feat: update description ECS TASK DEF rule ( #4181 )
2023-04-25 11:00:24 +02:00
463d9fff82
feat: new rule Potential Okta Password in AlternateID Field ( #4158 )
2023-04-05 13:21:03 +02:00
3d9372bef3
feat: new rules, updates and fp fixes ( #4136 )
2023-04-03 12:06:14 +02:00
fad662ab15
#4149 Fix ALA Rules Compilation (parser and broken azure rules) ( #4150 )
2023-03-29 23:07:40 +02:00
98ab4bcd6a
fix: wording
2023-03-21 08:58:22 +01:00
b253e8cafc
fix: apply suggestions from code review
2023-03-20 22:02:38 +01:00
d6b91a9abf
fix: file extension (3)
2023-03-20 09:54:28 +01:00
23fc8e1d0c
fix: file extension (2)
2023-03-20 09:40:23 +01:00
f53e9676bb
fix: missing file extention
2023-03-20 08:55:49 +01:00
14eea4ebcb
azure_ad_suspicious_signin_bypassingMFA
2023-03-20 00:41:33 -04:00
273fdb9985
fix: typos in multiple rules ( #4011 )
2023-02-06 13:53:23 +01:00
9e51af56ca
Merge pull request #3974 from MarkMorow/master
...
Update tags for MITRE ATT&CK
2023-01-31 07:34:34 +01:00
7b3a3ee254
fix: add missing space by the end
2023-01-30 10:26:13 +01:00
6de8009c88
fix: update metadata and prefix test
2023-01-30 10:23:13 +01:00
b24e6d197b
Update tags for MITRE ATT&CK
...
Update tags for MITRE ATT&CK
2023-01-29 11:29:12 -08:00
cd15e7beea
Rename github_new_org_member_alert.yml to github_new_org_member.yml
...
The rule name changed to match the updated rule title.
2023-01-30 00:02:20 +05:00
d8c18457a0
Update disabled_outdated_dependency_or_vulnerability.yml
...
Removed invalid mitre ID T1089, and removed mitigation ID which was included in an error.
2023-01-30 00:01:22 +05:00
493daf54f5
Update and rename github_high_risk_configuration_change.yml to disable_github_high_risk_configuration.yml
...
The severity level changed to high from critical. The rule name matched the modified title.
2023-01-29 23:59:53 +05:00
40d7ce83c7
Rename dependabot_alerts_disabled.yml to disabled_outdated_dependency_or_vulnerability.yml
...
The rule name matched to the modified title.
2023-01-29 23:57:17 +05:00
23e5faa382
Update rules/cloud/github/github_new_org_member_alert.yml
...
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2023-01-29 23:05:28 +05:00
579ac60b7a
Update rules/cloud/github/github_high_risk_configuration_change.yml
...
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com >
2023-01-29 23:04:30 +05:00
Michael