63400139bd
Merge pull request #3110 from FlorianBracq/patch-1
...
Updating azure federation modified rule
2022-06-08 22:19:17 +02:00
f5211710d6
Update modification date
2022-06-08 18:54:03 +02:00
d29eb1e48c
Change to all selection elements rather than a filter and a selection
2022-06-08 09:13:48 -07:00
9647183716
Updating azure federation modified
...
* Set logsource service to auditlogs instead of signinlogs
* Add reference to Microsoft documentation
* Set field name in selection to ActivityDisplayName instead of properties.message
2022-06-08 17:17:26 +02:00
04bcbcdb44
Minor change, filter param should not be a list
2022-06-08 06:58:19 -07:00
61df0b9218
Update with suggested changes
2022-06-08 06:47:30 -07:00
09e31d2045
update with command field
2022-06-07 10:45:05 -07:00
8a59eb594e
Add rule for ECS backdoors
2022-06-07 10:36:31 -07:00
db58345bc6
Update selection_source for AWS ec2 startup script rule
...
The JSON payload for `ModifyInstanceAttribute` event currently looks like:
```
"requestParameters": {
"attribute": "userData",
...
},
```
Updating the selection_source from `requestParameters.userData: "*"` to `requestParameters.attribute: "userData"` accordingly.
Signed-off-by: Rachel Rice <rachel.rice@lacework.net >
2022-06-07 13:20:08 +01:00
e8c70a05d1
Create azure_app_owner_added.yml
...
Added checking for new application owner.
2022-06-02 13:37:00 -07:00
fd5eb53e1d
Create azure_app_appid_uri_changes.yml
...
Adding AppID URI changes check
2022-06-02 09:46:23 -07:00
55666836e6
Create azure_app_uri_modifications.yml
...
Adding Application URI changes
2022-06-02 06:44:35 -07:00
3412f29250
Update azure_app_device_code_authentication.yml
2022-06-02 13:58:37 +02:00
5be01c8bb4
Update azure_app_device_code_authentication.yml
2022-06-02 13:50:49 +02:00
2b599c07c6
Update and rename azure_app_device_code_authentication to azure_app_device_code_authentication.yml
2022-06-02 06:20:26 +02:00
e148de65bb
Merge branch 'SigmaHQ:master' into markmorow
2022-06-01 10:59:56 -07:00
e09221d9f7
Create azure_app_device_code_authentication
...
Adding Device Code flow authentication check
2022-06-01 10:59:03 -07:00
dec8b93296
Merge pull request #3075 from MarkMorow/markmorow
...
Markmorow
2022-06-01 19:06:27 +02:00
4114ceef65
Update azure_app_ropc_authentication.yml
...
Update Properities.message since it's one element.
2022-06-01 09:35:45 -07:00
375eeab4fa
Update azure_app_ropc_authentication.yml
2022-06-01 08:42:44 -07:00
fe64f81674
Create azure_app_ropc_authentication.yml
...
Adding ROPC Auth check
2022-06-01 08:41:43 -07:00
5fd61875dc
fix title case
2022-06-01 17:37:17 +02:00
6b0584ddd2
Update azure_conditional_access_failure.yml
2022-06-01 17:27:00 +02:00
21da958f98
Delete azure_conditional_access_failure.txt
2022-06-01 12:58:34 +01:00
b912a8a7c2
Merge branch 'Yochana-H' of https://github.com/Yochana-H/sigma into Yochana-H
2022-06-01 12:04:28 +01:00
8d8e74d44d
Create azure_conditional_access_failure.txt
...
Sign-In failures due to Conditional Access requirements not being met.
2022-06-01 12:04:24 +01:00
eec0dfe821
Create azure_conditional_access_failure.txt
...
Sign-In failures due to Conditional Access requirements not being met.
2022-06-01 10:22:43 +01:00
95a0263799
Rename azure_aad_secops _signin_failure_bad_password_threshold.yml to azure_aad_secops_signin_failure_bad_password_threshold.yml
2022-05-31 20:43:32 +02:00
cafc12e334
Update azure_aad_secops _signin_failure_bad_password_threshold.yml
2022-05-31 20:36:37 +02:00
9f115af449
Update azure_aad_secops _signin_failure_bad_password_threshold.yml
...
updated title to remove capital letters and replaced a tag with the proper MITRE tactic check.
2022-05-31 11:25:03 -05:00
b5a47ef967
Create azure_aad_secops _signin_failure_bad_password_threshold.yml
2022-05-30 05:35:52 -05:00
32e6a82cf2
Update azure_app_credential_added.yml
2022-05-27 06:56:07 +02:00
5229c05cab
Update azure_app_credential_added.yml
...
Changes based on Sigma template rules
2022-05-26 12:36:38 -07:00
97efeada5f
Update .gitignore
2022-05-26 09:39:00 -07:00
34d06708e5
Create azure_app_credential_added.yml
...
App Credential Add rule
2022-05-25 19:13:26 -07:00
74b9f97b9c
Renamed suspicious in filenames to susp
2022-05-19 09:37:04 +02:00
112b715dd6
chore: test rules: reactivate single value list check
2022-05-10 17:13:04 +02:00
dbd68bf3f0
chore: test rules: capitalization on FP list entries
...
Entires to the false positive list should begin with
a capital letter. e.g. Unkown instead of unkown.
Fixed the existing rules accordingly
2022-05-09 16:07:44 +02:00
7cbfc7f16a
fix: remove . from title
2022-04-06 17:04:10 +02:00
15c6fad973
Merge pull request #2850 from hieuttmmo/master
...
Rule to detect when any MFA Denied recorded by Azure SigninLogs
2022-03-25 11:35:49 +01:00
0b97d37faf
Update azure_mfa_denies.yml
2022-03-24 21:26:13 +01:00
1fe45bd593
Merge branch 'SigmaHQ:master' into master
2022-03-24 16:53:41 +04:00
713bc24750
Add new MFA Denied rule
2022-03-24 16:53:01 +04:00
70acb06c16
fix: old azure notation
2022-03-22 18:15:33 +01:00
e91fc4486e
refactor: first bigger log source refactoring
...
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
2022-03-22 17:58:29 +01:00
e477264aa0
fix: azure log source fix
2022-03-21 11:20:07 +01:00
043747822f
fix: more falsepositives harmonization
2022-03-16 14:57:06 +01:00
6ae28b7a1c
fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00
b23eee6ebf
fix: unknown --> Unknown
2022-03-16 13:43:54 +01:00
a2031b7898
fix: condition with 1 of them
2022-03-05 12:39:04 +01:00
frack113