security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13,707 Commits 1 Branch 57 Tags
a425ef65e5bd7e2602ee6fd6762dd8fb1065104f
Commit Graph

698 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 20b0a6bad8 Rule Dev 2022-11-18 11:15:28 +01:00
nikitah4x 0f496be1e5 Add new rule to detect PST export when eDiscovery alert policy is disabled (M365) 2022-11-18 08:40:39 +01:00
frack113 556dd8f400 Order yaml field 2022-10-25 07:34:10 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 88f10a5d39 Fix issues 2022-10-05 17:19:48 +02:00
Nasreddine Bencherchali 18e43cff02 Fix valid accounts tag 2022-10-05 17:18:01 +02:00
Feathers 633037e3cc Create microsoft365_pst_export_alert.yml (#2665) 2022-09-19 13:19:55 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Wagga 4573ab0a21 Fix a lot of typos in rules text and comments #Part 3 (#3446) 2022-08-30 08:21:25 +02:00
Ben Montour 59394d2309 bad sort on subfields startswith/endswith 2022-08-23 14:35:48 -05:00
Ben Montour 6aabfaba4f added modified field with current date 2022-08-23 14:32:10 -05:00
Ben Montour f733105daa renamed properties.message to operationName 2022-08-23 14:20:26 -05:00
Tim Shelton 9ddf0ce735 spelling mistake 2022-08-18 15:51:43 +00:00
Tim Shelton 65db776a9b Fixing spelling mistake. same as found the other day 2022-08-18 15:49:23 +00:00
frack113 288461ddbe Order placerholder rules 2022-08-17 21:05:34 +02:00
Mark Morowczynski 7a5d715d83 Last remaining AAD SecOps Guide rules (#3364) 
* Last remaining AAD SecOps Guide rules
 2022-08-17 20:57:58 +02:00
Tim Shelton cfd3e17bc7 Fixes spelling mistake of success (missing a c) 2022-08-16 19:27:06 +00:00
Florian Roth b5ebc2033e Update azure_privileged_account_creation.yml 2022-08-11 18:25:10 +02:00
Mark Morowczynski 10871396c4 Create azure_privileged_account_creation.yml 
Detects when a priv account is created
 2022-08-11 07:08:15 -07:00
Mark Morowczynski 8a750770cf Create azure_guest_invite_failure.yml 
Detection when a user without proper permissions attempts to invite a guest account.
 2022-08-10 11:01:40 -07:00
Mark Morowczynski d1c5153103 Create azure_tap_added.yml 
Detection for temporary access pass (TAP) added to an account.
 2022-08-10 07:09:09 -07:00
Mark Morowczynski 5591d965ce Create azure_pim_change_settings.yml 
Detect when changes are made to PIM settings
 2022-08-09 12:42:29 -07:00
Mark Morowczynski 0c0afaa45c Create azure_pim_activation_approve_deny.yml 
Detection for PIM elevation
 2022-08-09 10:01:01 -07:00
Mark Morowczynski cdbaa27b9e Update azure_pim_alerts_disabled.yml 
fixing MITRE tag
 2022-08-09 08:39:45 -07:00
Mark Morowczynski c455b6bafc Create azure_pim_alerts_disabled.yml 
Detect when PIM alert settings changed to disabled
 2022-08-09 08:00:48 -07:00
Mark Morowczynski 13e5d53f8d Create azure_priviledged_role_assignment_add.yml 
User added to privilege role assignment
 2022-08-06 07:04:33 -07:00
Mark Morowczynski a17a2468d5 Create azure_priviledged_role_assignment_bulk_change.yml 
Priv role assignment removal
 2022-08-05 16:06:41 -07:00
Florian Roth dd0903bc7a Merge pull request #3330 from MarkMorow/markmorow 
Create azure_group_user_addition_ca_modification.yml
 2022-08-05 23:32:31 +02:00
Mark Morowczynski 203d3509ca Create azure_group_user_addition_ca_modification.yml 
Adding rule for user added to group with CA modification access
 2022-08-05 13:46:51 -07:00
frack113 fd383faeec Merge pull request #3326 from MarkMorow/markmorow 
Markmorow
 2022-08-05 19:49:09 +02:00
frack113 6ecdaa8fbf Merge pull request #3181 from Yochana-H/Yochana-H 
Azure_user_password_change.yml
 2022-08-05 17:39:09 +02:00
Mark Morowczynski 7c1f1cd8ba Merge branch 'SigmaHQ:master' into markmorow 2022-08-05 06:06:05 -07:00
Mark Morowczynski 72167b6f2f Update azure_group_user_removal_ca_modification.yml 
Fix audit log syntax
 2022-08-05 06:05:24 -07:00
Yochana-H 92471574a4 Update azure_user_password_change.yml 
Space removed
 2022-08-05 13:21:12 +01:00
Yochana-H dce0962d10 Update azure_user_password_change.yml 
changed level
 2022-08-05 13:15:35 +01:00
Mark Morowczynski d0b0421783 Create azure_group_user_removal_ca_modification.yml 
Monitoring for removal of members of group that have CA modification access
 2022-08-04 16:45:59 -07:00
Yochana-H 8d94d315b2 Create azure_user_password_change.yml 2022-08-04 17:30:19 +01:00
Yochana-H b44aff5317 Update azure_legacy_authentication_protocols.yml 
Changes made OR not AND
 2022-08-04 17:19:24 +01:00
Bailey Bercik 231777eac8 Azure AD SecOps Guide 2022-07-29 19:27:31 +02:00
MikeDuddington 7072f62991 additional detections for Azure AD 2022-07-28 19:44:51 +02:00
MikeDuddington c0cb0d739b Create azure_guest_to_member.yml 2022-07-28 07:04:13 +02:00
Florian Roth 29ab0cda08 Update azure_aad_secops_ca_policy_updatedby_bad_actor.yml 2022-07-27 10:43:44 +02:00
Florian Roth 9f65836403 Update azure_aad_secops_ca_policy_removedby_bad_actor.yml 2022-07-27 10:43:27 +02:00
Florian Roth 57c87e16cf fix: wrong fields 2022-07-27 10:34:11 +02:00
Florian Roth 88eca559b9 fix: wrong condition 2022-07-26 13:34:10 +02:00
Corissa Lea Koopmans 77d7f2ca31 Added CA Policy Updated SecOps Rule 
CA Policy Updated by Non Approved Actor
 2022-07-19 15:50:26 -05:00
frack113 6af6bd27e0 Change CRLF to LF 2022-07-19 19:57:28 +02:00
Corissa Lea Koopmans 94c9233dad Adding CA Policy Removed Sec Ops Rule 
Conditional Access Policy removed by non-approved actors
 2022-07-19 11:23:30 -05:00
frack113 a3b1cdc158 Add azure_aad_secops_new_ca_policy_addedby_bad_actor 2022-07-19 17:19:37 +02:00
Mark Morowczynski 301d25a7ec Delete azure_app_logout_url.yml 2022-07-17 12:15:14 -07:00