security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
806 Commits 1 Branch 0 Tags
2c39bb962fdb6ceaabc20ceaeff2b86259b82d13
Commit Graph

9 Commits

Author SHA1 Message Date
Austin Songer 3303a4e255 [New Rule] Microsoft 365 - Mass download by a single user (#1348) 
* Create impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:01:50 -03:00
Austin Songer 11fa592c6f [New Rule] Microsoft 365 - Impossible travel activity (#1344) 
* Create initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Updated Directory

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-12 19:11:32 -03:00
Austin Songer c8ac37957d [New Rule] Microsoft 365 - User Restricted from Sending Email (#1345) 
* Create initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Fix technique

* update description and FP

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:32:54 -03:00
Austin Songer 98c217ece9 [New Rule] Microsoft 365 - Potential ransomware activity (#1346) 
* Create impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* bump to prod

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:26:17 -03:00
Austin Songer 3b0d2006b7 Made these pull requests before the directory restructure. (#1517) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-05 09:29:40 -03:00
Jonhnathan ba9c01be50 Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511) 2021-09-30 13:08:35 -08:00
Austin Songer a51ed86851 [New Rule] New or Modified Federation Domain (#1212) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_new-or-modified-federation-domain.toml

* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update

* Update persistence_new_or_modified_federation_domain.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-29 09:16:17 -03:00
Justin Ibarra b736d6e748 [Rule Tuning] Rule description tweaks (#1388) 2021-07-29 10:56:13 -08:00
Ross Wolf 1882f4456c [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
 2021-07-21 15:24:56 -06:00