security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,016 Commits 1 Branch 57 Tags
feded2fc13daf059c80fcfe43137c8ae1480de41
Commit Graph

835 Commits

Author SHA1 Message Date
Bryan Lim 24b9ed72c1 Merge PR #4621 from @zestsg - Add New GCP / Google Workspace Related Rules 
new: GCP Break-glass Container Workload Deployed
new: Google Workspace Application Access Levels Modified
new: GCP Access Policy Deleted 

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2024-01-12 12:49:02 +01:00
github-actions[bot] ae960f0881 Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test 
chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
 2023-12-01 12:50:36 +01:00
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Sean Johnstone fa85c19b97 Merge PR #4523 from @sj-sec - Add New AWS Rule S3 Bucket Versioning Disable 
new: AWS S3 Bucket Versioning Disable

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-29 01:17:14 +02:00
Wagga 8bf3282194 Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields 
update: Registry Persistence via Service in Safe Mode - Fix typo in title
chore: Fix multiple typo in metadata fields and comments

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-10-28 13:15:09 +02:00
z00t 284730b966 Merge PR #4509 from @faisalusuf - Add New Rules Related to Okta Breach 
new: Okta 2023 Breach Indicator Of Compromise
new: Okta Password Health Report Query
new: Okta Admin Functions Access Through Proxy
new: New Okta User Created
update: Okta New Admin Console Behaviours - Field notation
update: Potential Okta Password in AlternateID Field - Field notation

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-10-28 12:50:04 +02:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Nasreddine Bencherchali 7364ce00b1 Merge PR #4476 from @nasbench - re-organize cloud folder and other things 
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
 2023-10-12 13:32:24 +02:00
Michael 43277f26fc Merge PR #4461 from @WTFender - Create AWS rule aws_sso_idp_change.yml 
new: AWS Identity Center Identity Provider Change

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-29 16:37:01 +02:00
Sanjay Govind eb2f82cbc3 Merge PR #4450 from @sanjay900 - Fix Typo 
fix: Disabling Multi Factor Authentication - Fix typo in title, description and detection logic
 2023-09-19 01:18:50 +02:00
cyb3rjy0t 229b70f68a Merge PR #4401 from @cyb3rjy0t - Add New O365 Related Rules 
new: Disabling Multi Factor Authenication
new: New Federated Domain Added
update: New Federated Domain Added - Exchange

---------

Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-18 19:30:16 +02:00
Mark Morowczynski f28b89c084 Merge PR #4445 from @MarkMorow - New Azure PIM Rules 
new: Stale Accounts In A Privileged Role
new: Invalid PIM License
new: Roles Assigned Outside PIM
new: Roles Activated Too Frequently
new: Roles Activation Doesn't Require MFA
new: Roles Are Not Being Used
new: Too Many Global Admins

---------

Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-14 22:02:30 +02:00
Mark Morowczynski e5fabcbd2f Merge PR #4429 from @MarkMorow - Add New Azure Identity Protection Rules 
new: Malicious IP Address Sign-In Failure Rate
new: Malicious IP Address Sign-In Suspicious
new: Primary Refresh Token Access Attempt
new: Azure AD Threat Intelligence

---------

Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-09-11 22:53:52 +02:00
Nick Moore a6c20d8b71 Merge PR #4428 from @kelnage - Add Okta Cross-Tenant Impersonation Rules 
new: Okta Identity Provider Created
new: Okta New Admin Console Behaviours
new: Okta Suspicious Activity Reported by End-user
new: Okta User Session Start Via An Anonymising Proxy Service

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-11 22:52:18 +02:00
Mark Morowczynski efe2c9bbcb Merge PR #4423 from @MarkMorow - Add Azure AD Identity Protection Rules 
new: Anomalous User Activity
new: Activity From Anonymous IP Address
new: Atypical Travel
new: Impossible Travel
new: Suspicious Inbox Forwarding Identity Protection
new: Suspicious Inbox Manipulation Rules
new: Azure AD Account Credential Leaked
new: Sign-In From Malware Infected IP
new: New Country
new: Password Spray Activity
new: Suspicious Browser Activity
new: SAML Token Issuer Anomaly
new: Unfamiliar Sign-In Properties

---------

Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-09-06 10:56:13 +02:00
Daniel Bohannon 3ce631af50 Merge pull request #4294 from @danielbohannon - Permiso p0-LUCR-1 (aka GUI-vil) 
new: AWS IAM S3Browser Templated S3 Bucket Policy Creation

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-08-24 12:21:34 +02:00
gleeiamglo 832c15a4c9 Merge pull request #4384 from @gleeiamglo 
new: Anonymous IP Address

---------

Co-authored-by: gllee <gllee@microsoft.com>
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-08-23 14:45:56 +02:00
frack113 450b619c13 Change field name in detection 2023-08-10 06:21:38 +02:00
Nasreddine Bencherchali 67d0d2afff chore: change service name to lowercase 2023-08-08 15:41:08 +02:00
frack113 a66b38d3df Fix to pass the tests 2023-08-08 06:47:08 +02:00
Mark Morowczynski fa780ec7b9 Update azure_identity_protectection_anomalous_token.yml 
Deleting extra space
 2023-08-07 18:36:25 -07:00
Mark Morowczynski ef2d8b4c99 Create azure_identity_protectection_anomalous_token.yml 
Adding the first of several identity protection alerts
 2023-08-07 18:33:35 -07:00
Nasreddine Bencherchali 2c3d19f335 Merge pull request #4293 from danielbohannon/patch-1 2023-07-17 12:19:05 +02:00
Nasreddine Bencherchali e59f9d6f61 chore: add missing quotes 2023-06-23 10:17:09 +02:00
Nasreddine Bencherchali 1562630a17 chore: update structure 2023-06-23 10:16:53 +02:00
Nasreddine Bencherchali fac3e34f92 fix: broken selection 2023-06-23 10:12:23 +02:00
Nasreddine Bencherchali 135855e9a7 chore: update structure 2023-06-23 10:10:13 +02:00
Daniel Bohannon 7dbfa195bd Permiso p0-LUCR-1 (aka GUI-vil) 
Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 2023-06-06 17:18:06 -04:00
Daniel Bohannon 0348c1adbb Permiso p0-LUCR-1 (aka GUI-vil) 
Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 2023-06-06 17:08:14 -04:00
Austin Songer b72e7fc6eb Update rules/cloud/okta/okta_fastpass_phishing_detection.yml 
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
 2023-05-10 01:18:00 -05:00
Austin Songer 3e9cfc3e7c Update okta_fastpass_phishing_detection.yml 2023-05-08 11:26:21 -05:00
Austin Songer 8dc803df95 Update okta_fastpass_phishing_detection.yml 2023-05-08 10:35:19 -05:00
Austin Songer df04652768 Update okta_fastpass_phishing_detection.yml 2023-05-07 20:16:54 -05:00
Austin Songer 616bf2a819 Update okta_fastpass_phishing_detection.yml 2023-05-07 20:06:23 -05:00
Austin Songer ce62346e4f Create okta_fastpass_phishing_detection.yml 2023-05-07 19:43:39 -05:00
Nasreddine Bencherchali 7ce4a9b7ec fix: add missing modified 2023-04-28 11:12:30 +02:00
muratogul 961aebb8ef corrected eventSource on aws_enum_buckets.yml file 2023-04-27 22:53:34 -07:00
erickatwork 91bc015216 feat: update description ECS TASK DEF rule (#4181) 2023-04-25 11:00:24 +02:00
Nick Moore 463d9fff82 feat: new rule Potential Okta Password in AlternateID Field (#4158) 2023-04-05 13:21:03 +02:00
Nasreddine Bencherchali 3d9372bef3 feat: new rules, updates and fp fixes (#4136) 2023-04-03 12:06:14 +02:00
FormindGMO fad662ab15 #4149 Fix ALA Rules Compilation (parser and broken azure rules) (#4150) 2023-03-29 23:07:40 +02:00
phantinuss 98ab4bcd6a fix: wording 2023-03-21 08:58:22 +01:00
Nasreddine Bencherchali b253e8cafc fix: apply suggestions from code review 2023-03-20 22:02:38 +01:00
phantinuss d6b91a9abf fix: file extension (3) 2023-03-20 09:54:28 +01:00
phantinuss 23fc8e1d0c fix: file extension (2) 2023-03-20 09:40:23 +01:00
phantinuss f53e9676bb fix: missing file extention 2023-03-20 08:55:49 +01:00
cyb3rjy0t 14eea4ebcb azure_ad_suspicious_signin_bypassingMFA 2023-03-20 00:41:33 -04:00
Wagga 273fdb9985 fix: typos in multiple rules (#4011) 2023-02-06 13:53:23 +01:00
frack113 9e51af56ca Merge pull request #3974 from MarkMorow/master 
Update tags for MITRE ATT&CK
 2023-01-31 07:34:34 +01:00