security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,483 Commits 1 Branch 57 Tags
b2acd800981e1c8d9f747173eb7803f0405cebd6
Commit Graph

57 Commits

Author SHA1 Message Date
Josh 083eb54e30 Merge PR #5157 from @joshnck - Add Azure Login Bypassing Conditional Access Policies 
new: Azure Login Bypassing Conditional Access Policies
---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
 2025-01-19 22:00:59 +01:00
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
 2024-08-12 12:02:50 +02:00
github-actions[bot] 6b78144668 Merge PR #4942 from @nasbench - promote older rules status from experimental to test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2024-08-01 10:26:14 +02:00
Ryan Plas 1d40f1d20b Merge PR #4893 from @ryanplasma - Update Microsoft references URLS 
chore: update Microsoft references link to use the "learn" subdomain instead of "docs". 

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Thanks: @ryanplasma
 2024-07-02 12:00:11 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Nasreddine Bencherchali 7364ce00b1 Merge PR #4476 from @nasbench - re-organize cloud folder and other things 
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
 2023-10-12 13:32:24 +02:00
Sanjay Govind eb2f82cbc3 Merge PR #4450 from @sanjay900 - Fix Typo 
fix: Disabling Multi Factor Authentication - Fix typo in title, description and detection logic
 2023-09-19 01:18:50 +02:00
cyb3rjy0t 229b70f68a Merge PR #4401 from @cyb3rjy0t - Add New O365 Related Rules 
new: Disabling Multi Factor Authenication
new: New Federated Domain Added
update: New Federated Domain Added - Exchange

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-18 19:30:16 +02:00
frack113 1033b3f404 change status to test 2023-01-27 06:48:34 +01:00
Nasreddine Bencherchali 20b0a6bad8 Rule Dev 2022-11-18 11:15:28 +01:00
nikitah4x 0f496be1e5 Add new rule to detect PST export when eDiscovery alert policy is disabled (M365) 2022-11-18 08:40:39 +01:00
frack113 556dd8f400 Order yaml field 2022-10-25 07:34:10 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Feathers 633037e3cc Create microsoft365_pst_export_alert.yml (#2665) 2022-09-19 13:19:55 +02:00
David ANDRE 74b9f97b9c Renamed suspicious in filenames to susp 2022-05-19 09:37:04 +02:00
phantinuss dbd68bf3f0 chore: test rules: capitalization on FP list entries 
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.

Fixed the existing rules accordingly
 2022-05-09 16:07:44 +02:00
Florian Roth e91fc4486e refactor: first bigger log source refactoring 
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
 2022-03-22 17:58:29 +01:00
phantinuss 043747822f fix: more falsepositives harmonization 2022-03-16 14:57:06 +01:00
frack113 69413c26bb Update microsoft365_new_federated_domain_added.yml 2022-02-10 06:39:02 +01:00
Feathers 7cb55b1704 Create microsoft365_new_federated_domain_added.yml 2022-02-08 10:31:47 +01:00
frack113 73f258e2d1 Change double quote to quote 2022-01-06 14:02:35 +01:00
frack113 01dc930c17 Change status for old rules 2021-11-27 11:33:14 +01:00
frack113 3430943746 standardization 2021-11-09 07:27:25 +01:00
Austin Songer 62f2affd03 Spelling fix 2021-08-24 14:15:50 +00:00
Austin Songer c0e58d3c27 Update 2021-08-23 23:00:58 +00:00
Austin Songer 29e1ce7e8f Update 2021-08-23 22:50:39 +00:00
Austin Songer ad892eb239 Update 2021-08-23 22:46:37 +00:00
Austin Songer 84944cf849 Update 2021-08-23 22:30:11 +00:00
Austin Songer 53482b7e9c Update 2021-08-23 22:19:41 +00:00
Austin Songer 754158bfd2 Update 2021-08-23 22:18:12 +00:00
Austin Songer da69b2f531 Update 2021-08-23 22:09:27 +00:00
Austin Songer 595bd3b80f Updated 2021-08-23 22:07:09 +00:00
Austin Songer 1fa32fcd1a Update 2021-08-23 22:02:47 +00:00
Austin Songer 4ab9519546 Update 2021-08-23 18:59:07 +00:00
Austin Songer 8e4b8f45dd Update 2021-08-23 18:57:17 +00:00
Austin Songer a5c551ad61 Merge branch '365' of https://github.com/austinsonger/sigma into 365 2021-08-23 18:55:40 +00:00
Austin Songer 41786a1b63 In-Progress 2021-08-23 18:55:29 +00:00
Austin Songer 3d151ef9f1 Update microsoft365_logon_from_risky_ip_address.yml 2021-08-23 12:59:53 -05:00
Austin Songer 23e96712f8 Update microsoft365_data_exfiltration_to_unsanctioned_app.yml 2021-08-23 12:59:44 -05:00
Austin Songer 1834324a16 Update 2021-08-23 17:33:57 +00:00
Austin Songer 7d211f2487 Data exfiltration to unsanctioned apps 2021-08-23 17:33:00 +00:00
Austin Songer ae84559488 M365 - Risky IP Addresses 2021-08-23 17:18:16 +00:00
frack113 dbbb422a42 Merge pull request #1885 from austinsonger/microsoft365_unusual_volume_of_file_deletion.yml 
microsoft365_unusual_volume_of_file_deletion.yml
 2021-08-20 17:20:43 +02:00
frack113 34ac3587e9 Merge pull request #1884 from austinsonger/microsoft365_potential_ransomware_activity.yml 
microsoft365_potential_ransomware_activity.yml
 2021-08-20 17:20:34 +02:00
frack113 73fee68d4b Merge pull request #1883 from austinsonger/microsoft365_user_restricted_from_sending_email.yml 
microsoft365_user_restricted_from_sending_email.yml
 2021-08-20 17:20:22 +02:00
Austin Songer a25f6e196f Update microsoft365_unusual_volume_of_file_deletion.yml 2021-08-20 08:17:25 -05:00
Austin Songer 360b936357 Update microsoft365_potential_ransomware_activity.yml 2021-08-20 08:17:09 -05:00
Austin Songer ae36804935 Update microsoft365_user_restricted_from_sending_email.yml 2021-08-20 08:16:48 -05:00
frack113 4e29dc9c45 fix title 2021-08-20 09:06:16 +02:00
Austin Songer 853c2eb41d Update microsoft365_potential_ransomware_activity.yml 2021-08-20 01:19:01 -05:00