security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

144 Commits

Author SHA1 Message Date
shashank-elastic b70792082a Fix pipe characters in rule descriptions (#4893) 2025-07-10 15:11:20 +05:30
Terrance DeJesus 6e2936aa8c [New Rule] TeamFiltration User-Agents Detected (#4868) 
* new rule TeamFiltration User-Agents Detected

* changed UUID

* tightened index scope

* fixing query optimization

* adjusted query
 2025-07-08 09:56:06 -04:00
Terrance DeJesus acfc106164 new rule Suspicious Entra ID OAuth User Impersonation Scope Detected (#4876) 
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-07-07 14:29:06 -04:00
shashank-elastic 9b292b97ea Prep 8.19/9.1 (#4869) 
* Prep 8.19/9.1 Release

* Download Beats Schema

* Download API Schema

* Download 8.18.3 Beats Schema

* Download Latest Integrations manifest and schema

* Comment old schemas

* Update Patch version
 2025-07-07 11:27:48 -04:00
Terrance DeJesus 6a083ec984 [New Rule] Unusual ROPC Login Attempt by User Principal (#4871) 
* new rule Unusual ROPC Login Attempt by User Principal

* linted
 2025-07-03 14:43:19 -04:00
Terrance DeJesus 016cdf2cbb [New Rule] Microsoft Entra ID Suspicious Cloud Device Registration (#4802) 
* new rule Microsoft Entra ID Suspicious Cloud Device Registration

* adjusted backticks in non-ecs and rule

* linted

* adjusted uuid; bumped patch version
 2025-07-02 10:03:08 -04:00
Terrance DeJesus 10d95baa2b [Rule Tuning] Microsoft Entra ID Exccessive Account Lockouts Detected (#4851) 
* adjusting Microsoft Entra ID Exccessive Account Lockouts Detected

* removing unit test

* added newline

* adjusted dates
 2025-07-01 08:18:18 -04:00
Terrance DeJesus ba429070e3 [New Rule] Entra ID RT to PRT Transition from Same User and Device (#4845) 2025-06-25 14:52:50 -04:00
Terrance DeJesus 0aefedd6f1 [New Rule] Suspicious ADRS Token Request by Microsoft Auth Broker (#4801) 
* new rule Suspicious ADRS Token Request by Microsoft Auth Broker

* bumping patch version

* updating patch version
 2025-06-18 14:41:04 -04:00
Terrance DeJesus 0c68fcb7d9 [New Rule] Entra ID User Signed In from Unusual Device (#4804) 
* new rule Entra ID User Signed In from Unusual Device

* adjusted patch version

* adjusted patch version

* updating patch version
 2025-06-18 14:13:42 -04:00
Terrance DeJesus 7b1139b219 [Rule Tuning] Expand Scope of Entra ID Brute Force Sign-In Attempts (#4777) 
* tuning rule to not be M365 specific

* adjusted rules

* linted

* linted; adjusted descriptions

* tuned rule logic

* adjusted time logic

* adjusted query logic

* removed 50053 from inclusion

* adjusted query
 2025-06-18 10:59:50 -04:00
Terrance DeJesus 4fb8483f2d [Rule Tuning] Suspicious Activity via Auth Broker On-Behalf-of Principal User (#4793) 
* rule tuning Suspicious Activity via Auth Broker On-Behalf-of Principal User

* adjusted investigation guide

* adjusted time
 2025-06-17 19:10:55 -04:00
Terrance DeJesus c7c1586160 [Rule Deprecation] Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source (#4780) 
* rule deprecation

* adjusted investigation guide
 2025-06-10 12:02:54 -04:00
Terrance DeJesus 9569aa4860 [New Rule] Microsoft Entra ID Excessive Account Lockouts Detected (#4782) 
* new rule Microsoft Entra ID Exccessive Account Lockouts Detected

* updating investigation guide

* removed user agent exception

* linted
 2025-06-10 11:31:35 -04:00
Terrance DeJesus 0a8c3ca471 new rule for bloodhound user agents (#4769) 2025-06-04 09:11:13 -04:00
Terrance DeJesus 71c82ec475 [New Rule] Entra ID Protection - Risk Detection - User Risk (#4762) 
* new rule Entra ID Protection - Risk Detection - User Risk

* adding max signals note

* adjusted mitre mapping

* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2025-06-04 08:59:01 -04:00
Terrance DeJesus 61fb056f05 [Rule Tuning] Microsoft Entra ID Protection Anonymized IP Risk Detection (#4759) 
* tuning Microsoft Entra ID Protection Anonymized IP Risk Detection

* adjusted tags and mappings

* added max signals

* adjusted file name

* adding max signals note

* adjusted mitre mapping
 2025-06-04 08:31:21 -04:00
Terrance DeJesus bfca0ea414 [New Hunt] Commvault Supply Chain Threat (#4748) 
* hunts for CommVault threat

* added lookback time to ESQL query

* updated query logic
 2025-05-28 14:11:46 -04:00
Terrance DeJesus 17d98cc8dd [Rule Tuning] Tuning Azure Entra Sign-in Brute Force against Microsoft 365 Accounts (#4737) 
* rule tuning 'Potential Microsoft 365 Brute Force via Entra ID Sign-Ins'

* updated lookback windows, date truncation times

* updated investigation guide
 2025-05-28 13:45:15 -04:00
Terrance DeJesus 4bd8469c38 [New Rule] Microsoft Entra ID Elevated Access to User Access Administrator (#4742) 
* new rule Microsoft Entra ID Elevated Access to User Access Administrator

* updating uuid
 2025-05-28 13:33:22 -04:00
Terrance DeJesus 22d780f9af [New Rule] Microsoft Entra ID User Reported Suspicious Activity (#4740) 
* new rule Microsoft Entra ID User Reported Suspicious Activity

* Update rules/integrations/azure/initial_access_entra_id_user_reported_risk.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2025-05-28 11:55:51 -04:00
Terrance DeJesus 0d4db2ecfe tuning 'Microsoft Entra ID High Risk Sign-in' (#4739) 2025-05-28 11:40:04 -04:00
Terrance DeJesus 82bee3e9c2 [Rule Tuning] Microsoft Graph First Occurrence of Client Request (#4728) 
* tuning 'Microsoft Graph First Occurrence of Client Request'

* updated update date
 2025-05-19 14:56:21 -04:00
Terrance DeJesus 8f27c24528 [New Rule] Suspicious Email Access by First-Party Application via Microsoft Graph (#4704) 
* new rule 'Suspicious Email Access by First-Party Application via Microsoft Graph'

* updated patch version

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-05-09 20:49:08 -04:00
Terrance DeJesus d83e1c711a [New Rule] Microsoft Entra Session Reuse with Suspicious Graph Access (#4711) 
* new rule 'Microsoft Entra Session Reuse with Suspicious Graph Access'

* fixed tags; linted

* fixed mitre mappings

* updated name and investigation guide
 2025-05-09 20:32:22 -04:00
shashank-elastic 0f3bfcd98a Fix new term doc broken link (#4706) 2025-05-07 17:03:58 +05:30
James Valente 36d595ae2f [Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce (#4405) 
* Add exceptions for non-interactive signin failures.

Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes:

- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
- 50057 : User account is disabled

* Update rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml

* Update metadata for `updated_date`

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2025-05-06 22:43:15 +05:30
Terrance DeJesus a34a26ddec [Rule Tuning] Excluding Microsoft Entra ID Service Principal Addition Invoked by MSFT Identity (#4700) 
* tuning rule to exclude service principals added by MSFT

* added additional exclusions

* updated rule name and file name

* updated investigation guide and mitre
 2025-05-06 11:19:50 -04:00
Samirbous f480e98f16 [New] Concurrent Azure SignIns with Suspicious Properties (#4670) 2025-05-06 13:09:54 +05:30
Terrance DeJesus 57be590d73 [New Rule] Adding Coverage for Suspicious Activity via Auth Broker On-Behalf-of Principal User (#4687) 2025-05-06 12:41:57 +05:30
Terrance DeJesus 58d03d4043 [New Rule] Adding Coverage for Microsoft Entra ID SharePoint Access for User Principal via Auth Broker (#4695) 
* new rule 'Microsoft Entra ID SharePoint Access for User Principal via Auth Broker'

* updated severity

* added new terms note
 2025-05-05 16:45:47 -04:00
Samirbous dddc2a7bb9 [New] Microsoft 365 OAuth Redirect to Device Registration for User (#4694) 
* [New] Microsoft 365 OAuth Redirect to Device Registration for User Principal

https://github.com/elastic/ia-trade-team/issues/590

* Update non-ecs-schema.json

* Update pyproject.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml

* fixed investigation guide formatting; fixed unit test failure

* updated patch version

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2025-05-02 08:36:10 +01:00
Terrance DeJesus ce66f52aad [New Rule] Adding Coverage for Microsoft Entra ID Protection Anonymized IP Risk Detection (#4689) 
* Adding new rule 'Microsoft Entra ID Protection Anonymized IP Risk Detection'

* updating description

* adding index

* updating mitre tactic mapping

* updating file name
 2025-05-01 23:03:50 -04:00
Terrance DeJesus bae7835f6a [New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client (#4642) 
* new rules for MSFT Oauth phishing in Azure, Entra and Microsoft 365

* changed m365 file name

* fixed duplicate tactics

* updaing non-ecs for graph activity logs

* updating rules; investigation guides; formatting, linting errors
 2025-05-01 22:38:41 -04:00
Samirbous ea31143b83 [New] Suspicious Azure Sign-in via Visual Studio Code (#4639) 
* Create initial_access_entra_login_visual_code_phish.toml

* Update non-ecs-schema.json

* Update initial_access_entra_susp_visual_code_signin.toml

* Update pyproject.toml

* Update initial_access_entra_susp_visual_code_signin.toml

* Update non-ecs-schema.json
 2025-04-23 14:06:05 +01:00
Terrance DeJesus ba16e27edb [Rule Tuning] Tuning Azure Service Principal Credentials Added (#4570) 
* tuning 'Azure Service Principal Credentials Added'

* updated patch version

* added investigation guide

* updating patch version

* updating patch version
 2025-04-16 13:58:17 -04:00
Terrance DeJesus 1a6669e5a6 [Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User (#4562) 
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'

* updated MITRE ATT&CK mappings

* updated index target

* updated patch version

* updating patch version

* bumping patch version

* updating patch version
 2025-04-16 12:21:41 -04:00
Terrance DeJesus c6e37d6910 [Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 (#4557) 
* tuning Azure rule for illicit grant activity; creating new rule for M365

* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml

* adjusted tags

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
 2025-03-27 15:55:04 -04:00
Terrance DeJesus 280140650a tuning 'Azure Conditional Access Policy Modified' (#4558) 2025-03-27 15:43:46 -04:00
Terrance DeJesus 2f3f4fbdef deprecating 'Azure Virtual Network Device Modified or Deleted' (#4559) 2025-03-27 10:09:34 -04:00
Terrance DeJesus 5e12f05a36 fixing double header in investigation notes (#4490) 2025-03-25 09:08:13 -04:00
shashank-elastic 059d7efa25 Prep for Release 9.0 (#4550) 2025-03-20 20:32:07 +05:30
Terrance DeJesus 3ed820afa8 [New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) (#4523) 
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'

* updating name

* added investigation guide

* updated investigation guide

* updated investigation guide

* removed unnecessary comment

* adjusted logic to count distinct on principal id; principal name will be in aggregations now

* updated Entra ID name
 2025-03-11 11:25:10 -04:00
Terrance DeJesus aacb376acf [New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication (#4524) 
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'

* updating tactic tag

* adjusted query logic for user type

* updated Entra ID name
 2025-03-11 11:05:56 -04:00
Terrance DeJesus fd1369a164 [New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User (#4525) 
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'

* linted; updated UUID

* adjusted rule name and logic to focus on any rare authentication requirements

* adjusted file name
 2025-03-11 10:51:01 -04:00
Terrance DeJesus ec4523a6a9 [Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol (#4466) 
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'

* bumping patch version

* fixed investigation guide unit test failure

* bump patch
 2025-02-20 10:29:04 -05:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
James Valente f52cfb3729 [Rule: Tuning] - Azure blob permission modification tagging - Correct tags (#4371) 
* Remove `Data Source: Elastic Defend` tag

* Update metadata

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-13 10:40:34 -03:00
Terrance DeJesus 0a740074c9 new rule 'Azure Entra MFA TOTP Brute Force Attempts' (#4297) 2024-12-12 11:00:02 -05:00
Isai 511c108ba1 [Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283) 
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query
 2024-12-06 17:27:38 -05:00