security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
16,016 Commits 1 Branch 57 Tags
feded2fc13daf059c80fcfe43137c8ae1480de41
Commit Graph

120 Commits

Author SHA1 Message Date
github-actions[bot] a6e7cce606 Merge PR #4533 from @nasbench - Promote experimental rules 
chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-11-02 10:48:45 +01:00
Sean Johnstone fa85c19b97 Merge PR #4523 from @sj-sec - Add New AWS Rule S3 Bucket Versioning Disable 
new: AWS S3 Bucket Versioning Disable

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-29 01:17:14 +02:00
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-10-18 11:53:44 +02:00
frack113 020fc8061f Merge PR #4479 From @frack113 - Upgrade Rules Status 
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
 2023-10-17 14:35:26 +02:00
Nasreddine Bencherchali 7364ce00b1 Merge PR #4476 from @nasbench - re-organize cloud folder and other things 
fix: Azure Active Directory Hybrid Health AD FS New Server - Update Logsource to align with the rest of the azure rules
fix: Azure Active Directory Hybrid Health AD FS Service Delete - Update Logsource to align with the rest of the azure rules
fix: Number Of Resource Creation Or Deployment Activities - Update Logsource to align with the rest of the azure rules
fix: Granting Of Permissions To An Account - Update Logsource to align with the rest of the azure rules
fix: Rare Subscription-level Operations In Azure - Update Logsource to align with the rest of the azure rules
fix: Google Workspace Application Removed - Update logsource product field to `gcp`
fix: Google Workspace Granted Domain API Access - Update logsource product field to `gcp`
fix: Google Workspace MFA Disabled - Update logsource product field to `gcp`
fix: Google Workspace Role Modified or Deleted - Update logsource product field to `gcp`
fix: Google Workspace Role Privilege Deleted - Update logsource product field to `gcp`
fix: Google Workspace User Granted Admin Privileges - Update logsource product field to `gcp`
 2023-10-12 13:32:24 +02:00
Michael 43277f26fc Merge PR #4461 from @WTFender - Create AWS rule aws_sso_idp_change.yml 
new: AWS Identity Center Identity Provider Change

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2023-09-29 16:37:01 +02:00
Daniel Bohannon 3ce631af50 Merge pull request #4294 from @danielbohannon - Permiso p0-LUCR-1 (aka GUI-vil) 
new: AWS IAM S3Browser Templated S3 Bucket Policy Creation

---------

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-08-24 12:21:34 +02:00
Nasreddine Bencherchali 2c3d19f335 Merge pull request #4293 from danielbohannon/patch-1 2023-07-17 12:19:05 +02:00
Nasreddine Bencherchali e59f9d6f61 chore: add missing quotes 2023-06-23 10:17:09 +02:00
Nasreddine Bencherchali 1562630a17 chore: update structure 2023-06-23 10:16:53 +02:00
Nasreddine Bencherchali fac3e34f92 fix: broken selection 2023-06-23 10:12:23 +02:00
Nasreddine Bencherchali 135855e9a7 chore: update structure 2023-06-23 10:10:13 +02:00
Daniel Bohannon 7dbfa195bd Permiso p0-LUCR-1 (aka GUI-vil) 
Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 2023-06-06 17:18:06 -04:00
Daniel Bohannon 0348c1adbb Permiso p0-LUCR-1 (aka GUI-vil) 
Adding Sigma rules outlined in the following blog post associated with named cloud-focused threat actor p0-LUCR-1 (aka GUI-vil): https://permiso.io/blog/s/unmasking-guivil-new-cloud-threat-actor
 2023-06-06 17:08:14 -04:00
Nasreddine Bencherchali 7ce4a9b7ec fix: add missing modified 2023-04-28 11:12:30 +02:00
muratogul 961aebb8ef corrected eventSource on aws_enum_buckets.yml file 2023-04-27 22:53:34 -07:00
erickatwork 91bc015216 feat: update description ECS TASK DEF rule (#4181) 2023-04-25 11:00:24 +02:00
Nasreddine Bencherchali 3d9372bef3 feat: new rules, updates and fp fixes (#4136) 2023-04-03 12:06:14 +02:00
frack113 4023bf2c83 Remove mitre url 2023-01-10 18:09:04 +01:00
Nasreddine Bencherchali e08358de3b fix: add related field 2023-01-07 13:13:48 +01:00
frack113 d73fe7ecfe Update rules/cloud/aws/aws_enum_buckets.yml 2023-01-07 12:39:50 +01:00
securepeacock 4c3e79cccb Create aws_enum_buckets.yml 2023-01-06 17:36:08 -05:00
BlueTeamOps 05135ec828 Further improved several AWS rules (#3827) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-28 19:46:36 +01:00
frack113 7060db3d47 Promotion rules (#3821) 
* Promotion rules

* fix missing null

* fix: modified date

Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-27 12:29:10 +01:00
Nasreddine Bencherchali a1b2e0ee81 Merge pull request #3781 from blueteam0ps/aws_det 
Multiple AWS detection rules
 2022-12-23 12:41:15 +01:00
frack113 32b7ef47df Add count condition 2022-12-23 12:32:05 +01:00
Nasreddine Bencherchali a3f897606f fix: enhance metadata information 2022-12-23 11:01:57 +01:00
BlueTeamOps 426dc04fd1 Added timeframe 2022-12-22 07:56:14 +11:00
BlueTeamOps 855ca77253 Added a timeframe 2022-12-22 07:49:26 +11:00
BlueTeamOps 3b4bf47d59 Added timeframe 2022-12-22 07:40:48 +11:00
frack113 646351808e Refractor (#3794) 
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
 2022-12-18 21:00:14 +01:00
Nasreddine Bencherchali 97c43eaa73 fix: duplicate id 2022-12-16 10:32:18 +01:00
frack113 066ab2680d Change to LF 2022-12-16 09:24:19 +01:00
BlueTeamOps 02fdcf037e fixed the eventNames to be inline 2022-12-16 18:56:15 +11:00
BlueTeamOps 5563195c77 fixed up eventName 2022-12-16 18:55:09 +11:00
BlueTeamOps f1c53264b2 Multiple AWS rules 
Multiple AWS rules based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 2022-12-13 22:30:28 +11:00
BlueTeamOps 2958fc35e5 Delete aws_delete_identity.yml 2022-12-13 22:29:16 +11:00
BlueTeamOps 77accc82d7 Delete aws_ses_messaging_enabled.yml 2022-12-13 22:29:00 +11:00
BlueTeamOps d2f0f6ddec Delete aws_enum_storage.yml 2022-12-13 22:28:48 +11:00
BlueTeamOps 155aa8412e Delete aws_enum_network.yml 2022-12-13 22:28:36 +11:00
BlueTeamOps 4debb454a7 Delete aws_enum_logging.yml 2022-12-13 22:28:27 +11:00
BlueTeamOps 53cfd3b7a1 Multiple AWS use cases 
Multiple AWS use cases based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/
 2022-12-13 22:23:50 +11:00
frack113 556dd8f400 Order yaml field 2022-10-25 07:34:10 +02:00
frack113 931fb30853 old experimental rule promotion 2022-10-09 16:54:04 +02:00
Nasreddine Bencherchali 88f10a5d39 Fix issues 2022-10-05 17:19:48 +02:00
David ANDRE 0b0190ccb1 Added quotes to strings 2022-09-01 15:22:26 +02:00
Nasreddine Bencherchali 62574e9b0c Update Ref+Selection 3 2022-07-11 18:12:51 +01:00
Nasreddine Bencherchali d03f6df250 Reference Update [Batch 1] 2022-07-07 15:24:15 +01:00
Darin Smith d29eb1e48c Change to all selection elements rather than a filter and a selection 2022-06-08 09:13:48 -07:00
Darin Smith 04bcbcdb44 Minor change, filter param should not be a list 2022-06-08 06:58:19 -07:00