blue-team-tools

Author	SHA1	Message	Date
Austin Songer	1fffb7a3f5	Gworkspace MFA disabled.	2021-08-26 20:28:35 -05:00
Roberto Rodriguez	f98970ef06	adding basic rules to detect behavior around AAD health agents and AAD Hybrid Health AD FS services in Azure	2021-08-26 16:10:42 -04:00
$frack113$ frack113	1d725e8519	add gworkspace_user_granted_admin_privileges.yml	2021-08-25 08:15:18 +02:00
$frack113$ frack113	7028aba3bd	Merge pull request #1919 from austinsonger/gworkspace-rules Role-Based Rules	2021-08-24 21:46:15 +02:00
$frack113$ frack113	09a00232fb	update references	2021-08-24 21:14:59 +02:00
$frack113$ frack113	a5f858b63c	update references	2021-08-24 21:13:49 +02:00
Austin Songer	ab8cc52dc6	Role-Based Rules	2021-08-24 10:53:59 -05:00
Austin Songer	62f2affd03	Spelling fix	2021-08-24 14:15:50 +00:00
$frack113$ frack113	ade7295cab	Merge pull request #1911 from austinsonger/gworkspace_granted_domain_api_access.yml gworkspace_granted_domain_api_access.yml	2021-08-24 08:01:34 +02:00
$frack113$ frack113	d8befe3a13	Update References	2021-08-24 07:34:33 +02:00
$frack113$ frack113	07dc04b1db	Merge pull request #1910 from austinsonger/gworkspace_user_assigned_admin_role.yml gworkspace_user_assigned_admin_role.yml	2021-08-24 07:22:25 +02:00
Austin Songer	facd58bd0a	Delete gworkspace_user_granted_admin_privileges.yml	2021-08-23 21:19:51 -05:00
Austin Songer	3cd43bfd9b	Create gworkspace_granted_domain_api_access.yml	2021-08-23 21:19:44 -05:00
Austin Songer	aa7a8a3e71	Update gworkspace_user_granted_admin_privileges.yml	2021-08-23 19:58:20 -05:00
Austin Songer	0fe2b3f569	Update and rename gworkspace_user_assigned_admin_role.yml to gworkspace_user_granted_admin_privileges.yml	2021-08-23 19:52:32 -05:00
Austin Songer	ede0332f22	Delete microsoft365_suspicious_inbox_manipulation_rules.yml	2021-08-23 19:40:20 -05:00
Austin Songer	3dd201d36f	Rename workspace_user_assigned_admin_role.yml to gworkspace_user_assigned_admin_role.yml	2021-08-23 19:38:58 -05:00
Austin Songer	6b1f0b83f4	Create workspace_user_assigned_admin_role.yml	2021-08-23 19:38:47 -05:00
Austin Songer	c0e58d3c27	Update	2021-08-23 23:00:58 +00:00
Austin Songer	29e1ce7e8f	Update	2021-08-23 22:50:39 +00:00
Austin Songer	ad892eb239	Update	2021-08-23 22:46:37 +00:00
Austin Songer	84944cf849	Update	2021-08-23 22:30:11 +00:00
Austin Songer	53482b7e9c	Update	2021-08-23 22:19:41 +00:00
Austin Songer	754158bfd2	Update	2021-08-23 22:18:12 +00:00
Austin Songer	da69b2f531	Update	2021-08-23 22:09:27 +00:00
Austin Songer	595bd3b80f	Updated	2021-08-23 22:07:09 +00:00
Austin Songer	1fa32fcd1a	Update	2021-08-23 22:02:47 +00:00
Austin Songer	4ab9519546	Update	2021-08-23 18:59:07 +00:00
Austin Songer	8e4b8f45dd	Update	2021-08-23 18:57:17 +00:00
Austin Songer	a5c551ad61	Merge branch '365' of https://github.com/austinsonger/sigma into 365	2021-08-23 18:55:40 +00:00
Austin Songer	41786a1b63	In-Progress	2021-08-23 18:55:29 +00:00
Austin Songer	3d151ef9f1	Update microsoft365_logon_from_risky_ip_address.yml	2021-08-23 12:59:53 -05:00
Austin Songer	23e96712f8	Update microsoft365_data_exfiltration_to_unsanctioned_app.yml	2021-08-23 12:59:44 -05:00
Austin Songer	1834324a16	Update	2021-08-23 17:33:57 +00:00
Austin Songer	7d211f2487	Data exfiltration to unsanctioned apps	2021-08-23 17:33:00 +00:00
Austin Songer	3a4c61f44d	M365 - Inbox Manipulation Rules	2021-08-23 17:21:27 +00:00
Austin Songer	ae84559488	M365 - Risky IP Addresses	2021-08-23 17:18:16 +00:00
$frack113$ frack113	52595de85e	Merge pull request #1889 from rachelrice/update_aws_rules Update AWS CloudTrail rules	2021-08-23 11:14:31 +02:00
$frack113$ frack113	07a87aa7f8	Merge pull request #1858 from frack113/fix_pr718 Replace pr718	2021-08-21 18:02:30 +02:00
$frack113$ frack113	dbbb422a42	Merge pull request #1885 from austinsonger/microsoft365_unusual_volume_of_file_deletion.yml microsoft365_unusual_volume_of_file_deletion.yml	2021-08-20 17:20:43 +02:00
$frack113$ frack113	34ac3587e9	Merge pull request #1884 from austinsonger/microsoft365_potential_ransomware_activity.yml microsoft365_potential_ransomware_activity.yml	2021-08-20 17:20:34 +02:00
$frack113$ frack113	73fee68d4b	Merge pull request #1883 from austinsonger/microsoft365_user_restricted_from_sending_email.yml microsoft365_user_restricted_from_sending_email.yml	2021-08-20 17:20:22 +02:00
$frack113$ frack113	b9a355e3f4	cleanup falsepositives	2021-08-20 17:18:32 +02:00
Florian Roth	b92346ba5f	Merge pull request #1882 from austinsonger/win_susp_bitstransfer.yml win_susp_bitstransfer.yml	2021-08-20 16:53:52 +02:00
Rachel Rice	f037f5b0a9	Add filter3 back for vm export failure, without consolelogin Signed-off-by: Rachel Rice <rachel.rice@lacework.net>	2021-08-20 15:42:49 +01:00
Austin Songer	a25f6e196f	Update microsoft365_unusual_volume_of_file_deletion.yml	2021-08-20 08:17:25 -05:00
Austin Songer	360b936357	Update microsoft365_potential_ransomware_activity.yml	2021-08-20 08:17:09 -05:00
Austin Songer	ae36804935	Update microsoft365_user_restricted_from_sending_email.yml	2021-08-20 08:16:48 -05:00
Rachel Rice	f09b3ea4b1	Update AWS CloudTrail rules aws_ec2_disable_encryption.yml Remove `status: success` from selection criteria, not required aws_ec2_vm_export_failure.yml Remove filter3: ``` eventName: 'ConsoleLogin' responseElements\|contains: 'Failure' ``` Incompatible with selection criteria `eventName: 'CreateInstanceExportTask'` aws_ec2_download_userdata.yml, aws_iam_backdoor_users_keys.yml, aws_rds_change_master_password.yml, aws_rds_public_db_restore.yml Update reference aws_sts_assumedrole_misuse.yml Rename to aws_sts_assumerole_misuse.yml Update references to "AssumedRole" to "AssumeRole" Update selection criteria of `userIdentity.sessionContext: Role` to `userIdentity.sessionContext.sessionIssuer.type: Role`	2021-08-20 13:43:00 +01:00
$frack113$ frack113	4e29dc9c45	fix title	2021-08-20 09:06:16 +02:00

... 3 4 5 6 7 ...

568 Commits