security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
14,048 Commits 1 Branch 57 Tags
d38195ea31a002cee4c32ea5c19bb082779d0482
Commit Graph

718 Commits

Author SHA1 Message Date
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali a1b2e0ee81 Merge pull request #3781 from blueteam0ps/aws_det 
Multiple AWS detection rules
 2022-12-23 12:41:15 +01:00
frack113 32b7ef47df Add count condition 2022-12-23 12:32:05 +01:00
Nasreddine Bencherchali a3f897606f fix: enhance metadata information 2022-12-23 11:01:57 +01:00
BlueTeamOps 426dc04fd1 Added timeframe 2022-12-22 07:56:14 +11:00
BlueTeamOps 855ca77253 Added a timeframe 2022-12-22 07:49:26 +11:00
BlueTeamOps 3b4bf47d59 Added timeframe 2022-12-22 07:40:48 +11:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
Nasreddine Bencherchali 97c43eaa73 fix: duplicate id 2022-12-16 10:32:18 +01:00
frack113 066ab2680d Change to LF 2022-12-16 09:24:19 +01:00
BlueTeamOps 02fdcf037e fixed the eventNames to be inline 2022-12-16 18:56:15 +11:00
BlueTeamOps 5563195c77 fixed up eventName 2022-12-16 18:55:09 +11:00
BlueTeamOps f1c53264b2 Multiple AWS rules 
Multiple AWS rules based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 2022-12-13 22:30:28 +11:00
BlueTeamOps 2958fc35e5 Delete aws_delete_identity.yml 2022-12-13 22:29:16 +11:00
BlueTeamOps 77accc82d7 Delete aws_ses_messaging_enabled.yml 2022-12-13 22:29:00 +11:00
BlueTeamOps d2f0f6ddec Delete aws_enum_storage.yml 2022-12-13 22:28:48 +11:00
BlueTeamOps 155aa8412e Delete aws_enum_network.yml 2022-12-13 22:28:36 +11:00
BlueTeamOps 4debb454a7 Delete aws_enum_logging.yml 2022-12-13 22:28:27 +11:00
BlueTeamOps 53cfd3b7a1 Multiple AWS use cases 
Multiple AWS use cases based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 2022-12-13 22:23:50 +11:00
BlueTeamOps 47b5272fcd Create azure_ad_azurehound_discovery.yml (#3762) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-08 20:21:02 +01:00
Nasreddine Bencherchali 20b0a6bad8 Rule Dev 2022-11-18 11:15:28 +01:00
nikitah4x 0f496be1e5 Add new rule to detect PST export when eDiscovery alert policy is disabled (M365) 2022-11-18 08:40:39 +01:00
frack113 556dd8f400 Order yaml field 2022-10-25 07:34:10 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 88f10a5d39 Fix issues 2022-10-05 17:19:48 +02:00
Nasreddine Bencherchali 18e43cff02 Fix valid accounts tag 2022-10-05 17:18:01 +02:00
Feathers 633037e3cc Create microsoft365_pst_export_alert.yml (#2665) 2022-09-19 13:19:55 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Wagga 4573ab0a21 Fix a lot of typos in rules text and comments #Part 3 (#3446) 2022-08-30 08:21:25 +02:00
Ben Montour 59394d2309 bad sort on subfields startswith/endswith 2022-08-23 14:35:48 -05:00
Ben Montour 6aabfaba4f added modified field with current date 2022-08-23 14:32:10 -05:00
Ben Montour f733105daa renamed properties.message to operationName 2022-08-23 14:20:26 -05:00
Tim Shelton 9ddf0ce735 spelling mistake 2022-08-18 15:51:43 +00:00
Tim Shelton 65db776a9b Fixing spelling mistake. same as found the other day 2022-08-18 15:49:23 +00:00
frack113 288461ddbe Order placerholder rules 2022-08-17 21:05:34 +02:00
Mark Morowczynski 7a5d715d83 Last remaining AAD SecOps Guide rules (#3364) 
* Last remaining AAD SecOps Guide rules
 2022-08-17 20:57:58 +02:00
Tim Shelton cfd3e17bc7 Fixes spelling mistake of success (missing a c) 2022-08-16 19:27:06 +00:00
Florian Roth b5ebc2033e Update azure_privileged_account_creation.yml 2022-08-11 18:25:10 +02:00
Mark Morowczynski 10871396c4 Create azure_privileged_account_creation.yml 
Detects when a priv account is created
 2022-08-11 07:08:15 -07:00
Mark Morowczynski 8a750770cf Create azure_guest_invite_failure.yml 
Detection when a user without proper permissions attempts to invite a guest account.
 2022-08-10 11:01:40 -07:00
Mark Morowczynski d1c5153103 Create azure_tap_added.yml 
Detection for temporary access pass (TAP) added to an account.
 2022-08-10 07:09:09 -07:00
Mark Morowczynski 5591d965ce Create azure_pim_change_settings.yml 
Detect when changes are made to PIM settings
 2022-08-09 12:42:29 -07:00
Mark Morowczynski 0c0afaa45c Create azure_pim_activation_approve_deny.yml 
Detection for PIM elevation
 2022-08-09 10:01:01 -07:00
Mark Morowczynski cdbaa27b9e Update azure_pim_alerts_disabled.yml 
fixing MITRE tag
 2022-08-09 08:39:45 -07:00
Mark Morowczynski c455b6bafc Create azure_pim_alerts_disabled.yml 
Detect when PIM alert settings changed to disabled
 2022-08-09 08:00:48 -07:00
Mark Morowczynski 13e5d53f8d Create azure_priviledged_role_assignment_add.yml 
User added to privilege role assignment
 2022-08-06 07:04:33 -07:00
Mark Morowczynski a17a2468d5 Create azure_priviledged_role_assignment_bulk_change.yml 
Priv role assignment removal
 2022-08-05 16:06:41 -07:00
Florian Roth dd0903bc7a Merge pull request #3330 from MarkMorow/markmorow 
Create azure_group_user_addition_ca_modification.yml
 2022-08-05 23:32:31 +02:00
Mark Morowczynski 203d3509ca Create azure_group_user_addition_ca_modification.yml 
Adding rule for user added to group with CA modification access
 2022-08-05 13:46:51 -07:00
frack113 fd383faeec Merge pull request #3326 from MarkMorow/markmorow 
Markmorow
 2022-08-05 19:49:09 +02:00