 Nasreddine Bencherchali
|
e08358de3b
|
fix: add related field
|
2023-01-07 13:13:48 +01:00 |
|
|
frack113
|
d73fe7ecfe
|
Update rules/cloud/aws/aws_enum_buckets.yml
|
2023-01-07 12:39:50 +01:00 |
|
|
securepeacock
|
4c3e79cccb
|
Create aws_enum_buckets.yml
|
2023-01-06 17:36:08 -05:00 |
|
|
frack113
|
7d5fb8db30
|
update logsource
|
2023-01-04 19:36:37 +01:00 |
|
|
frack113
|
756a248032
|
update logsource
|
2023-01-04 18:52:24 +01:00 |
|
|
BlueTeamOps
|
05135ec828
|
Further improved several AWS rules (#3827)
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-12-28 19:46:36 +01:00 |
|
|
frack113
|
7060db3d47
|
Promotion rules (#3821)
* Promotion rules
* fix missing null
* fix: modified date
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-12-27 12:29:10 +01:00 |
|
|
Nasreddine Bencherchali
|
a1b2e0ee81
|
Merge pull request #3781 from blueteam0ps/aws_det
Multiple AWS detection rules
|
2022-12-23 12:41:15 +01:00 |
|
|
frack113
|
32b7ef47df
|
Add count condition
|
2022-12-23 12:32:05 +01:00 |
|
|
Nasreddine Bencherchali
|
a3f897606f
|
fix: enhance metadata information
|
2022-12-23 11:01:57 +01:00 |
|
|
BlueTeamOps
|
426dc04fd1
|
Added timeframe
|
2022-12-22 07:56:14 +11:00 |
|
|
BlueTeamOps
|
855ca77253
|
Added a timeframe
|
2022-12-22 07:49:26 +11:00 |
|
|
BlueTeamOps
|
3b4bf47d59
|
Added timeframe
|
2022-12-22 07:40:48 +11:00 |
|
|
frack113
|
646351808e
|
Refractor (#3794)
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-12-18 21:00:14 +01:00 |
|
|
Nasreddine Bencherchali
|
97c43eaa73
|
fix: duplicate id
|
2022-12-16 10:32:18 +01:00 |
|
|
frack113
|
066ab2680d
|
Change to LF
|
2022-12-16 09:24:19 +01:00 |
|
|
BlueTeamOps
|
02fdcf037e
|
fixed the eventNames to be inline
|
2022-12-16 18:56:15 +11:00 |
|
|
BlueTeamOps
|
5563195c77
|
fixed up eventName
|
2022-12-16 18:55:09 +11:00 |
|
|
BlueTeamOps
|
f1c53264b2
|
Multiple AWS rules
Multiple AWS rules based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
|
2022-12-13 22:30:28 +11:00 |
|
|
BlueTeamOps
|
2958fc35e5
|
Delete aws_delete_identity.yml
|
2022-12-13 22:29:16 +11:00 |
|
|
BlueTeamOps
|
77accc82d7
|
Delete aws_ses_messaging_enabled.yml
|
2022-12-13 22:29:00 +11:00 |
|
|
BlueTeamOps
|
d2f0f6ddec
|
Delete aws_enum_storage.yml
|
2022-12-13 22:28:48 +11:00 |
|
|
BlueTeamOps
|
155aa8412e
|
Delete aws_enum_network.yml
|
2022-12-13 22:28:36 +11:00 |
|
|
BlueTeamOps
|
4debb454a7
|
Delete aws_enum_logging.yml
|
2022-12-13 22:28:27 +11:00 |
|
|
BlueTeamOps
|
53cfd3b7a1
|
Multiple AWS use cases
Multiple AWS use cases based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
|
2022-12-13 22:23:50 +11:00 |
|
|
BlueTeamOps
|
47b5272fcd
|
Create azure_ad_azurehound_discovery.yml (#3762)
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
|
2022-12-08 20:21:02 +01:00 |
|
|
Nasreddine Bencherchali
|
20b0a6bad8
|
Rule Dev
|
2022-11-18 11:15:28 +01:00 |
|
|
nikitah4x
|
0f496be1e5
|
Add new rule to detect PST export when eDiscovery alert policy is disabled (M365)
|
2022-11-18 08:40:39 +01:00 |
|
|
frack113
|
556dd8f400
|
Order yaml field
|
2022-10-25 07:34:10 +02:00 |
|
|
frack113
|
931fb30853
|
old experimental rule promotion
|
2022-10-09 16:54:04 +02:00 |
|
|
Nasreddine Bencherchali
|
88f10a5d39
|
Fix issues
|
2022-10-05 17:19:48 +02:00 |
|
|
Nasreddine Bencherchali
|
18e43cff02
|
Fix valid accounts tag
|
2022-10-05 17:18:01 +02:00 |
|
|
Feathers
|
633037e3cc
|
Create microsoft365_pst_export_alert.yml (#2665)
|
2022-09-19 13:19:55 +02:00 |
|
|
David ANDRE
|
0b0190ccb1
|
Added quotes to strings
|
2022-09-01 15:22:26 +02:00 |
|
|
Wagga
|
4573ab0a21
|
Fix a lot of typos in rules text and comments #Part 3 (#3446)
|
2022-08-30 08:21:25 +02:00 |
|
|
Ben Montour
|
59394d2309
|
bad sort on subfields startswith/endswith
|
2022-08-23 14:35:48 -05:00 |
|
|
Ben Montour
|
6aabfaba4f
|
added modified field with current date
|
2022-08-23 14:32:10 -05:00 |
|
|
Ben Montour
|
f733105daa
|
renamed properties.message to operationName
|
2022-08-23 14:20:26 -05:00 |
|
|
Tim Shelton
|
9ddf0ce735
|
spelling mistake
|
2022-08-18 15:51:43 +00:00 |
|
|
Tim Shelton
|
65db776a9b
|
Fixing spelling mistake. same as found the other day
|
2022-08-18 15:49:23 +00:00 |
|
|
frack113
|
288461ddbe
|
Order placerholder rules
|
2022-08-17 21:05:34 +02:00 |
|
|
Mark Morowczynski
|
7a5d715d83
|
Last remaining AAD SecOps Guide rules (#3364)
* Last remaining AAD SecOps Guide rules
|
2022-08-17 20:57:58 +02:00 |
|
|
Tim Shelton
|
cfd3e17bc7
|
Fixes spelling mistake of success (missing a c)
|
2022-08-16 19:27:06 +00:00 |
|
|
Florian Roth
|
b5ebc2033e
|
Update azure_privileged_account_creation.yml
|
2022-08-11 18:25:10 +02:00 |
|
|
Mark Morowczynski
|
10871396c4
|
Create azure_privileged_account_creation.yml
Detects when a priv account is created
|
2022-08-11 07:08:15 -07:00 |
|
|
Mark Morowczynski
|
8a750770cf
|
Create azure_guest_invite_failure.yml
Detection when a user without proper permissions attempts to invite a guest account.
|
2022-08-10 11:01:40 -07:00 |
|
|
Mark Morowczynski
|
d1c5153103
|
Create azure_tap_added.yml
Detection for temporary access pass (TAP) added to an account.
|
2022-08-10 07:09:09 -07:00 |
|
|
Mark Morowczynski
|
5591d965ce
|
Create azure_pim_change_settings.yml
Detect when changes are made to PIM settings
|
2022-08-09 12:42:29 -07:00 |
|
|
Mark Morowczynski
|
0c0afaa45c
|
Create azure_pim_activation_approve_deny.yml
Detection for PIM elevation
|
2022-08-09 10:01:01 -07:00 |
|
|
Mark Morowczynski
|
cdbaa27b9e
|
Update azure_pim_alerts_disabled.yml
fixing MITRE tag
|
2022-08-09 08:39:45 -07:00 |
|