security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,483 Commits 1 Branch 57 Tags
b2acd800981e1c8d9f747173eb7803f0405cebd6
Commit Graph

880 Commits

Author SHA1 Message Date
Austin Songer 10af7bbdb1 Create azure_app_credential_modification.yml 2021-09-02 20:53:32 -05:00
Austin Songer d25fd420d6 Create azure_service_principal_created.yml 2021-09-02 20:48:35 -05:00
Austin Songer 1272c76ae7 Create azure_network_firewall_policy_modified_or_deleted.yml 2021-09-02 20:31:27 -05:00
Rachel Rice 78d3fa4795 Update AWS STS AssumeRole Misuse rule 
Update selection criteria for AWS STS AssumeRole Misuse rule for any event by an AssumedRole userIdentity.
Closes SigmaHQ/sigma#1963.
 2021-09-02 17:40:35 +01:00
Rachel Rice 7ccb773b20 Update AWS Update Login Profile rule 
Update selection criteria for AWS Update Login Profile rule to check for mismatch between userIdentity.arn and requestParameters.userName.
Closes SigmaHQ/sigma#1966.
 2021-09-02 17:37:41 +01:00
frack113 772fe06e10 fix Backend does not support map values of type <class 'bool'> (57) 2021-08-29 09:10:30 +02:00
frack113 0de795b0a2 Merge pull request #1936 from austinsonger/gworkspace_application_remove.yml 
add gworkspace_application_remove.yml
 2021-08-27 06:25:15 +02:00
frack113 00cceb7be8 Merge pull request #1935 from austinsonger/gworkspace_mfa_disabled.yml 
add gworkspace_mfa_disabled.yml
 2021-08-27 06:24:26 +02:00
Austin Songer 72485a5619 Update gworkspace_application_removed.yml 2021-08-26 21:16:21 -05:00
Austin Songer 62cefcc028 Rename gworkspace_application_remove.dyml to gworkspace_application_removed.yml 2021-08-26 21:15:56 -05:00
Austin Songer bc246ff59d Rename gworkspace_application_remove.yml to gworkspace_application_remove.dyml 2021-08-26 20:58:22 -05:00
Austin Songer 55f5ff3d89 Application Removed 2021-08-26 20:55:07 -05:00
Austin Songer 1fffb7a3f5 Gworkspace MFA disabled. 2021-08-26 20:28:35 -05:00
Roberto Rodriguez f98970ef06 adding basic rules to detect behavior around AAD health agents and AAD Hybrid Health AD FS services in Azure 2021-08-26 16:10:42 -04:00
frack113 1d725e8519 add gworkspace_user_granted_admin_privileges.yml 2021-08-25 08:15:18 +02:00
frack113 7028aba3bd Merge pull request #1919 from austinsonger/gworkspace-rules 
Role-Based Rules
 2021-08-24 21:46:15 +02:00
frack113 09a00232fb update references 2021-08-24 21:14:59 +02:00
frack113 a5f858b63c update references 2021-08-24 21:13:49 +02:00
Austin Songer ab8cc52dc6 Role-Based Rules 2021-08-24 10:53:59 -05:00
Austin Songer 62f2affd03 Spelling fix 2021-08-24 14:15:50 +00:00
frack113 ade7295cab Merge pull request #1911 from austinsonger/gworkspace_granted_domain_api_access.yml 
gworkspace_granted_domain_api_access.yml
 2021-08-24 08:01:34 +02:00
frack113 d8befe3a13 Update References 2021-08-24 07:34:33 +02:00
frack113 07dc04b1db Merge pull request #1910 from austinsonger/gworkspace_user_assigned_admin_role.yml 
gworkspace_user_assigned_admin_role.yml
 2021-08-24 07:22:25 +02:00
Austin Songer facd58bd0a Delete gworkspace_user_granted_admin_privileges.yml 2021-08-23 21:19:51 -05:00
Austin Songer 3cd43bfd9b Create gworkspace_granted_domain_api_access.yml 2021-08-23 21:19:44 -05:00
Austin Songer aa7a8a3e71 Update gworkspace_user_granted_admin_privileges.yml 2021-08-23 19:58:20 -05:00
Austin Songer 0fe2b3f569 Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml 2021-08-23 19:52:32 -05:00
Austin Songer ede0332f22 Delete microsoft365_suspicious_inbox_manipulation_rules.yml 2021-08-23 19:40:20 -05:00
Austin Songer 3dd201d36f Rename workspace_user_assigned_admin_role.yml to gworkspace_user_assigned_admin_role.yml 2021-08-23 19:38:58 -05:00
Austin Songer 6b1f0b83f4 Create workspace_user_assigned_admin_role.yml 2021-08-23 19:38:47 -05:00
Austin Songer c0e58d3c27 Update 2021-08-23 23:00:58 +00:00
Austin Songer 29e1ce7e8f Update 2021-08-23 22:50:39 +00:00
Austin Songer ad892eb239 Update 2021-08-23 22:46:37 +00:00
Austin Songer 84944cf849 Update 2021-08-23 22:30:11 +00:00
Austin Songer 53482b7e9c Update 2021-08-23 22:19:41 +00:00
Austin Songer 754158bfd2 Update 2021-08-23 22:18:12 +00:00
Austin Songer da69b2f531 Update 2021-08-23 22:09:27 +00:00
Austin Songer 595bd3b80f Updated 2021-08-23 22:07:09 +00:00
Austin Songer 1fa32fcd1a Update 2021-08-23 22:02:47 +00:00
Austin Songer 4ab9519546 Update 2021-08-23 18:59:07 +00:00
Austin Songer 8e4b8f45dd Update 2021-08-23 18:57:17 +00:00
Austin Songer a5c551ad61 Merge branch '365' of https://github.com/austinsonger/sigma into 365 2021-08-23 18:55:40 +00:00
Austin Songer 41786a1b63 In-Progress 2021-08-23 18:55:29 +00:00
Austin Songer 3d151ef9f1 Update microsoft365_logon_from_risky_ip_address.yml 2021-08-23 12:59:53 -05:00
Austin Songer 23e96712f8 Update microsoft365_data_exfiltration_to_unsanctioned_app.yml 2021-08-23 12:59:44 -05:00
Austin Songer 1834324a16 Update 2021-08-23 17:33:57 +00:00
Austin Songer 7d211f2487 Data exfiltration to unsanctioned apps 2021-08-23 17:33:00 +00:00
Austin Songer 3a4c61f44d M365 - Inbox Manipulation Rules 2021-08-23 17:21:27 +00:00
Austin Songer ae84559488 M365 - Risky IP Addresses 2021-08-23 17:18:16 +00:00
frack113 52595de85e Merge pull request #1889 from rachelrice/update_aws_rules 
Update AWS CloudTrail rules
 2021-08-23 11:14:31 +02:00