security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,130 Commits 1 Branch 57 Tags
8f8ce06ffb8d8fd3433dbffebccd33ec9d23e51a
Commit Graph

273 Commits

Author SHA1 Message Date
cyb3rjy0t 16d8345ca7 Merge PR #4725 from @cyb3rjy0t - Add new Azure AD rules 
new: Certificate-Based Authentication Enabled
new: New Root Certificate Authority Added 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2024-03-26 18:25:59 +01:00
github-actions[bot] 367ebd9395 Merge PR #4700 from @nasbench - Promote older rules status from experimental to test 
chore: promote older rules status from experimental to test
 2024-02-01 02:09:31 +01:00
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:50:36 +01:00
Wagga 8bf3282194 Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields 
update: Registry Persistence via Service in Safe Mode - Fix typo in title
chore: Fix multiple typo in metadata fields and comments

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-10-28 13:15:09 +02:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Nasreddine Bencherchali 7364ce00b1 Merge PR #4476 from @nasbench - re-organize cloud folder and other things 
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
 2023-10-12 13:32:24 +02:00
Mark Morowczynski f28b89c084 Merge PR #4445 from @MarkMorow - New Azure PIM Rules 
new: Stale Accounts In A Privileged Role
new: Invalid PIM License
new: Roles Assigned Outside PIM
new: Roles Activated Too Frequently
new: Roles Activation Doesn't Require MFA
new: Roles Are Not Being Used
new: Too Many Global Admins

---------

Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-14 22:02:30 +02:00
Mark Morowczynski e5fabcbd2f Merge PR #4429 from @MarkMorow - Add New Azure Identity Protection Rules 
new: Malicious IP Address Sign-In Failure Rate
new: Malicious IP Address Sign-In Suspicious
new: Primary Refresh Token Access Attempt
new: Azure AD Threat Intelligence

---------

Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-09-11 22:53:52 +02:00
Mark Morowczynski efe2c9bbcb Merge PR #4423 from @MarkMorow - Add Azure AD Identity Protection Rules 
new: Anomalous User Activity
new: Activity From Anonymous IP Address
new: Atypical Travel
new: Impossible Travel
new: Suspicious Inbox Forwarding Identity Protection
new: Suspicious Inbox Manipulation Rules
new: Azure AD Account Credential Leaked
new: Sign-In From Malware Infected IP
new: New Country
new: Password Spray Activity
new: Suspicious Browser Activity
new: SAML Token Issuer Anomaly
new: Unfamiliar Sign-In Properties

---------

Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-09-06 10:56:13 +02:00
gleeiamglo 832c15a4c9 Merge pull request #4384 from @gleeiamglo 
new: Anonymous IP Address

---------

Co-authored-by: gllee <gllee@microsoft.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-08-23 14:45:56 +02:00
frack113 450b619c13 Change field name in detection 2023-08-10 06:21:38 +02:00
Nasreddine Bencherchali 67d0d2afff chore: change service name to lowercase 2023-08-08 15:41:08 +02:00
frack113 a66b38d3df Fix to pass the tests 2023-08-08 06:47:08 +02:00
Mark Morowczynski fa780ec7b9 Update azure_identity_protectection_anomalous_token.yml 
Deleting extra space
 2023-08-07 18:36:25 -07:00
Mark Morowczynski ef2d8b4c99 Create azure_identity_protectection_anomalous_token.yml 
Adding the first of several identity protection alerts
 2023-08-07 18:33:35 -07:00
Nasreddine Bencherchali 3d9372bef3 feat: new rules, updates and fp fixes (#4136) 2023-04-03 12:06:14 +02:00
FormindGMO fad662ab15 #4149 Fix ALA Rules Compilation (parser and broken azure rules) (#4150) 2023-03-29 23:07:40 +02:00
phantinuss 98ab4bcd6a fix: wording 2023-03-21 08:58:22 +01:00
Nasreddine Bencherchali b253e8cafc fix: apply suggestions from code review 2023-03-20 22:02:38 +01:00
phantinuss d6b91a9abf fix: file extension (3) 2023-03-20 09:54:28 +01:00
phantinuss 23fc8e1d0c fix: file extension (2) 2023-03-20 09:40:23 +01:00
phantinuss f53e9676bb fix: missing file extention 2023-03-20 08:55:49 +01:00
cyb3rjy0t 14eea4ebcb azure_ad_suspicious_signin_bypassingMFA 2023-03-20 00:41:33 -04:00
Wagga 273fdb9985 fix: typos in multiple rules (#4011) 2023-02-06 13:53:23 +01:00
Mark Morowczynski b24e6d197b Update tags for MITRE ATT&CK 
Update tags for MITRE ATT&CK
 2023-01-29 11:29:12 -08:00
Mark Morowczynski 29ca26b32c Updating MITRE Tactics & Techniques 
Updating MITRE Tactics & Techniques to align with existing classifications
 2023-01-28 13:26:15 -08:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
TheLawsOfChaos 8607588a13 11 Files with updates Tactics/techniques/sub-techs (#3904) 2023-01-11 06:30:46 +01:00
frack113 0c3ba418db Merge pull request #3898 from cyb3rjy0t/patch-2 
New rule
 2023-01-10 20:47:48 +01:00
frack113 8e7187e861 Rename azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml to azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml 2023-01-10 20:37:56 +01:00
Nasreddine Bencherchali 2820210945 fix: broken title 2023-01-10 19:43:19 +01:00
frack113 4023bf2c83 Remove mitre url 2023-01-10 18:09:04 +01:00
frack113 a6116a5fdc Merge pull request #3894 from TheLawsOfChaos/patch-5 
Update azure_device_or_configuration_modified_or_deleted.yml
 2023-01-10 17:49:12 +01:00
Nasreddine Bencherchali 23278ead62 Merge pull request #3893 from TheLawsOfChaos/patch-4 
Update azure_dns_zone_modified_or_deleted.yml
 2023-01-10 13:50:11 +01:00
Nasreddine Bencherchali 82c2b635a9 fix: yaml syntax 2023-01-10 00:49:44 +01:00
Nasreddine Bencherchali 3b149675b2 Merge pull request #3896 from TheLawsOfChaos/patch-7 
Patch 7
 2023-01-10 00:45:38 +01:00
cyb3rjy0t 907252c00f New rule 
Detecting risky user sign from non AD registered device with single factor authenciation
 2023-01-09 17:07:39 -05:00
Nasreddine Bencherchali 032db9f799 Merge pull request #3897 from TheLawsOfChaos/patch-8 
Update azure_firewall_modified_or_deleted.yml
 2023-01-09 22:39:41 +01:00
Nasreddine Bencherchali f0505a7a22 fix: remove mitre links from ref section 2023-01-09 22:34:13 +01:00
Nasreddine Bencherchali e237aec830 Merge pull request #3895 from TheLawsOfChaos/patch-6 
Update azure_creating_number_of_resources_detection.yml
 2023-01-09 22:33:30 +01:00
Nasreddine Bencherchali 3ec4c3e98b fix: apply suggestions from code review 2023-01-09 22:23:19 +01:00
Nasreddine Bencherchali c8cbdefba5 fix: remove unnecessary spaces 2023-01-09 22:22:40 +01:00
Nasreddine Bencherchali b728332228 fix: remove mitre link from the reference section 2023-01-09 22:21:46 +01:00
Nasreddine Bencherchali 0e06d9e9b9 fix: remove mitre link from the reference section 2023-01-09 22:21:21 +01:00
Nasreddine Bencherchali a3cee700af fix: add missing "t" to mitre tag 2023-01-09 22:20:48 +01:00
Nasreddine Bencherchali 0f75a1d361 fix: remove mitre reference link 2023-01-09 22:19:57 +01:00
TheLawsOfChaos 8caf115e33 Update azure_firewall_modified_or_deleted.yml 
Added sub-tech reference, new tactic, and sub-tech.
 2023-01-09 16:09:18 -05:00
TheLawsOfChaos e97efe445c Update azure_change_to_authentication_method.yml 2023-01-09 15:46:05 -05:00
TheLawsOfChaos 42875d2bba Update azure_change_to_authentication_method.yml 
Updated description, added two tactics and one technique, and added technique reference.
 2023-01-09 15:43:07 -05:00