sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Isai	9925a39826	[Rule Tuning] AWS IAM SAML Provider Updated (#5284 ) * [Rule Tuning] AWS IAM SAML Provider Updated Rule is performing well in telemetry, low volume as expected. The only obvious false positives are from AWS SSO service so that internal behavior has been excluded from the rule. - added AWS SSO exclusion to query - updated description and IG - added highlighted fields * Update rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2025-11-17 15:34:08 -05:00
Mika Ayenson	fe8c81d762	[FR] Generate investigation guides (#4358 )	2025-01-22 11:17:38 -06:00
Terrance DeJesus	2559b7bb41	[Rule Tuning] Tuning AWS Rules for SAML Provider Updates and Assumed Roles via STS (#3898 ) * tuning AWS rules for SAML provider updates and assumed roles via STS * fixed mitre mapping * adjusted new terms and added user ID to query * reverting new terms value change * adding non-ecs to new term checks * fixing mitre mapping * Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml * reverting file removal to add diff changes * changeing rule contents * reverting rule changes * added rule contents * changed file name * linted * reverting lint	2024-08-20 11:53:46 -04:00

Author

SHA1

Message

Date

Isai

9925a39826

[Rule Tuning] AWS IAM SAML Provider Updated (#5284 )

* [Rule Tuning] AWS IAM SAML Provider Updated

Rule is performing well in telemetry, low volume as expected. The only obvious false positives are from AWS SSO service so that internal behavior has been excluded from the rule.

- added AWS SSO exclusion to query
- updated description and IG
- added highlighted fields

* Update rules/integrations/aws/privilege_escalation_iam_saml_provider_updated.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

2025-11-17 15:34:08 -05:00

Mika Ayenson

fe8c81d762

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

Terrance DeJesus

2559b7bb41

[Rule Tuning] Tuning AWS Rules for SAML Provider Updates and Assumed Roles via STS (#3898 )

* tuning AWS rules for SAML provider updates and assumed roles via STS

* fixed mitre mapping

* adjusted new terms and added user ID to query

* reverting new terms value change

* adding non-ecs to new term checks

* fixing mitre mapping

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

* reverting file removal to add diff changes

* changeing rule contents

* reverting rule changes

* added rule contents

* changed file name

* linted

* reverting lint

2024-08-20 11:53:46 -04:00

3 Commits