security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
11,806 Commits 1 Branch 57 Tags
aa79f4a5ee080388ce5fe578cc87802df8c5abc3
Commit Graph

645 Commits

Author SHA1 Message Date
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
frack113 792fde6466 Merge pull request #3206 from baileybercik/baileybercik 
Create azure_app_highly_privileged_permissions.yml
 2022-07-10 07:59:01 +02:00
frack113 0f1c8183a1 fix references 2022-07-09 08:51:45 +02:00
frack113 b923260be4 Update azure_app_highly_privileged_permissions.yml 2022-07-09 08:42:54 +02:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
frack113 c43b958ac1 Merge pull request #3168 from mepples21/miepping-dev 
Added device registration w/o MFA sigma rule
 2022-07-04 13:29:58 +02:00
frack113 fa4af14545 Merge pull request #3174 from mepples21/miepping-dev6 
Create azure_ad_users_added_to_device_admin_roles.yml
 2022-07-04 13:28:57 +02:00
frack113 f5668cd223 fix id 2022-07-01 21:04:56 +02:00
frack113 8109af3ea3 Merge pull request #3170 from mepples21/miepping-dev3 
Create azure_ad_device_registration_policy_changes.yml
 2022-07-01 15:49:02 +02:00
frack113 d12293d3c1 Update azure_ad_device_registration_or_join_without_mfa.yml 2022-07-01 14:25:20 +02:00
frack113 d4c9e5640f Update azure_ad_sign_ins_from_noncompliant_devices.yml 2022-07-01 14:24:38 +02:00
frack113 fa1eb1669c Update azure_ad_users_added_to_device_admin_roles.yml 2022-07-01 14:18:26 +02:00
frack113 a2c10bcade Update azure_ad_device_registration_policy_changes.yml 2022-07-01 14:17:21 +02:00
Bailey Bercik f7c8ded6a7 Create azure_app_highly_privileged_permissions.yml 
Sigma rule for apps with highly privileged permissions in Azure
 2022-06-30 14:34:27 -07:00
Florian Roth e516fd74cb Merge pull request #3172 from mepples21/miepping-dev5 
Create azure_ad_bitlocker_key_retrieval.yml
 2022-06-29 19:40:36 +02:00
Florian Roth 218e7f1491 Update azure_ad_device_registration_policy_changes.yml 2022-06-29 19:39:34 +02:00
Florian Roth c90b8fa7f3 Update azure_ad_users_added_to_device_admin_roles.yml 2022-06-29 19:38:37 +02:00
Florian Roth 4fee43361c Merge pull request #3171 from mepples21/miepping-dev4 
Create azure_ad_sign_ins_from_unknown_devices.yml
 2022-06-29 19:37:13 +02:00
frack113 ef47e7c8f2 Update azure_ad_bitlocker_key_retrieval.yml 2022-06-29 06:34:11 +02:00
frack113 0315f31cb0 Update azure_ad_sign_ins_from_unknown_devices.yml 2022-06-29 06:33:24 +02:00
Michael Epping c9e42d3dd2 Create azure_ad_users_added_to_device_admin_roles.yml 2022-06-28 15:01:10 -07:00
Michael Epping 7aadcff92c Create azure_ad_bitlocker_key_retrieval.yml 2022-06-28 14:23:36 -07:00
Michael Epping e446a23818 Create azure_ad_sign_ins_from_unknown_devices.yml 2022-06-28 14:12:30 -07:00
Michael Epping 7c446f0d37 Create azure_ad_device_registration_policy_changes.yml 
Rule from Azure AD SecOps guide
 2022-06-28 13:11:45 -07:00
Michael Epping 495a4fb1f0 Create azure_ad_device_registration_policy_changes.ym; 2022-06-28 13:10:38 -07:00
Michael Epping 024514886f Update azure_ad_sign_ins_from_noncompliant_devices.yml 2022-06-28 11:55:54 -07:00
Michael Epping 749dd21a7b Create azure_ad_sign_ins_from_noncompliant_devices.yml 2022-06-28 11:55:41 -07:00
Michael Epping ff178408c8 Added device registration w/o MFA sigma rule 2022-06-28 11:12:12 -07:00
frack113 272c29caea Merge pull request #3138 from Yochana-H/Yochana-H 
create azure_blocked_account_attempt.yml
 2022-06-19 08:36:30 +02:00
Florian Roth 37ed5f4bc5 Update azure_blocked_account_attempt.yml 2022-06-18 18:22:43 +02:00
frack113 e3ea9f7b42 Update azure_blocked_account_attempt.yml 2022-06-17 20:43:07 +02:00
Yochana-H d659088d4b Merge branch 'Yochana-H' of https://github.com/Yochana-H/sigma into Yochana-H 2022-06-17 15:44:51 +01:00
Yochana-H 6dc3c1d4dd Create azure_blocked_account_attempt.yml 2022-06-17 15:44:40 +01:00
frack113 63400139bd Merge pull request #3110 from FlorianBracq/patch-1 
Updating azure federation modified rule
 2022-06-08 22:19:17 +02:00
FlorianBracq f5211710d6 Update modification date 2022-06-08 18:54:03 +02:00
Darin Smith d29eb1e48c Change to all selection elements rather than a filter and a selection 2022-06-08 09:13:48 -07:00
FlorianBracq 9647183716 Updating azure federation modified 
* Set logsource service to auditlogs instead of signinlogs
* Add reference to Microsoft documentation
* Set field name in selection to ActivityDisplayName instead of properties.message
 2022-06-08 17:17:26 +02:00
Darin Smith 04bcbcdb44 Minor change, filter param should not be a list 2022-06-08 06:58:19 -07:00
Darin Smith 61df0b9218 Update with suggested changes 2022-06-08 06:47:30 -07:00
Darin Smith 09e31d2045 update with command field 2022-06-07 10:45:05 -07:00
Darin Smith 8a59eb594e Add rule for ECS backdoors 2022-06-07 10:36:31 -07:00
Rachel Rice db58345bc6 Update selection_source for AWS ec2 startup script rule 
The JSON payload for `ModifyInstanceAttribute` event currently looks like:
```
"requestParameters": {
  "attribute": "userData",
  ...
},
```

Updating the selection_source from `requestParameters.userData: "*"` to `requestParameters.attribute: "userData"` accordingly.

Signed-off-by: Rachel Rice <rachel.rice@lacework.net>
 2022-06-07 13:20:08 +01:00
Mark Morowczynski e8c70a05d1 Create azure_app_owner_added.yml 
Added checking for new application owner.
 2022-06-02 13:37:00 -07:00
Mark Morowczynski fd5eb53e1d Create azure_app_appid_uri_changes.yml 
Adding AppID URI changes check
 2022-06-02 09:46:23 -07:00
Mark Morowczynski 55666836e6 Create azure_app_uri_modifications.yml 
Adding Application URI changes
 2022-06-02 06:44:35 -07:00
phantinuss 3412f29250 Update azure_app_device_code_authentication.yml 2022-06-02 13:58:37 +02:00
phantinuss 5be01c8bb4 Update azure_app_device_code_authentication.yml 2022-06-02 13:50:49 +02:00
frack113 2b599c07c6 Update and rename azure_app_device_code_authentication to azure_app_device_code_authentication.yml 2022-06-02 06:20:26 +02:00
Mark Morowczynski e148de65bb Merge branch 'SigmaHQ:master' into markmorow 2022-06-01 10:59:56 -07:00
Mark Morowczynski e09221d9f7 Create azure_app_device_code_authentication 
Adding Device Code flow authentication check
 2022-06-01 10:59:03 -07:00