security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
806 Commits 1 Branch 0 Tags
2c39bb962fdb6ceaabc20ceaeff2b86259b82d13
Commit Graph

25 Commits

Author SHA1 Message Date
Austin Songer fa9da023dd [New Rule] Microsoft 365 - Unusual Volume of File Deletion (#1347) 
* Create impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update rules/microsoft-365/impact_microsoft_365_unusual_volume_of_file_deletion.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Add missing `\`

* Bump to prod and update description

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:30:49 -03:00
Austin Songer 3b0d2006b7 Made these pull requests before the directory restructure. (#1517) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-05 09:29:40 -03:00
Austin Songer 5ac7fb639c [New Rule] O365 Exchange Suspicious Mailbox Right Delegation (#1211) 2021-09-27 13:18:33 -08:00
Ross Wolf 1882f4456c [Fleet] Track integrations in folder and metadata (#1372) 
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
 2021-07-21 15:24:56 -06:00
Austin Songer 64c3f7cdc5 [New Rule] O365 Excessive SSO Logon Errors (#1215) 2021-07-20 22:55:00 -08:00
Austin Songer c215c44809 [Rule Tuning] Potential password spraying of microsoft 365 user accounts (#1164) 
* Update impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-22 13:36:13 -04:00
Brent Murphy d8ef9a81ef [Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account (#1251) 
* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* add authors
 2021-06-22 08:38:49 -06:00
Austin Songer 546e43071c [Rule Tuning] Attempts to brute force a microsoft 365 user account (#1163) 
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-06-15 09:20:20 -04:00
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
 2021-05-10 13:40:56 -08:00
Brent Murphy 4a46b2f03b Create collection_microsoft_365_new_inbox_rule.toml (#1068) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-04-14 17:06:39 -04:00
Justin Ibarra 0e0b2ea1a4 Update schema for threshold rule type for 7.12 (#976) 
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
 2021-03-05 14:35:50 -09:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) 
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
 2021-02-17 13:48:57 -09:00
Justin Ibarra 61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
 2021-02-16 10:52:48 -09:00
Ross Wolf a0ae05c78e Fix spelling of Continuous Monitoring (#795) 
* Fix spelling of Continuous Monitoring
* Update the updated_at date
* Happy new year
 2021-01-04 15:05:34 -07:00
Brent Murphy 627610401c [Rule Tuning] Update rules for new Fleet integrations (#729) 
* update azure indicies

* remove . in index to match prior cloud rules

* update o365 indicies

* add event.dataset:google_workspace.admin to existing google workspace rules

* gcp syntax

* add gcp index

* update gcp index

* update index patterns for google workspace rules

* update gcp index2

* update updated_date

* update event outcome for azure

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-18 12:23:12 -05:00
Brent Murphy 598e807a5c [New Rule] Microsoft 365 Teams Custom Application Interaction Allowed (#657) 
* [New Rule] O365 Teams Custom Application Interaction Allowed

* rebrand to m365, still needed non ecs schema

* Update non-ecs-schema.json
 2020-12-08 17:36:47 -05:00
Brent Murphy 73e2690ec0 [New Rule] Potential Password Spraying of Microsoft 365 User Accounts (#665) 
* [New Rule] Potential Password Spraying of O365 User Accounts

* Update credential_access_o365_potential_password_spraying_attack.toml

* rebrand to m365

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 17:19:39 -05:00
Brent Murphy d74b41c1a0 [New Rule] Microsoft 365 Teams External Access Enabled (#661) 
* [New Rule] O365 Teams External Access Enabled

* rebrand to m365, still needed non ecs schema

* update description

* remove non ecs change
 2020-12-08 16:48:15 -05:00
Brent Murphy 6bfe5d3dd8 [New Rule] Microsoft 365 Teams Guest Access Enabled (#601) 
* [New Rule] O365 Teams Guest Access Enabled

* rebrand to m365, still needed non ecs schema

* remove non ecs schma change
 2020-12-08 16:44:15 -05:00
Brent Murphy 6a296c64c5 [New Rule] Microsoft 365 Exchange DKIM Signing Configuration Disabled (#578) 
* [New Rule] O365 Exchange DKIM Signing Configuration Disabled

* rebrand to m365

* still req non ecs schema

* Remove the ECS override

* Update _flatten_schema logic

* Allow fields with * in the path

* Allow explicit fields to overwrite implicit * fields

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-08 16:38:00 -05:00
Brent Murphy 86b1a56c1b [New Rule] Attempts to Brute Force a Microsoft 365 User Account (#662) 
* [New Rule] Attempts to Brute Force an O365 User Account

* Update credential_access_o365_brute_force_user_account_attempt.toml

* rebrand to m365

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* update description
 2020-12-04 12:40:09 -05:00
Brent Murphy f23881f1b8 [New Rule] Microsoft 365 Exchange DLP Policy Removed (#600) 
* [New Rule] O365 Exchange DLP Policy Removed

* rebrand to m365

* update description
 2020-12-02 14:18:11 -05:00
Brent Murphy 427012ed32 [New Rule] Microsoft 365 Exchange Management Group Role Assignment (#599) 
* [New Rule] O365 Exchange Management Role Assignment

* Update persistence_o365_exchange_management_role_assignment.toml

* rebrand to m365
 2020-12-02 14:11:33 -05:00
Brent Murphy ec4cd98ce8 [Rule Tuning] Rebrand Office 365 to Microsoft 365 (#669) 2020-12-02 14:04:48 -05:00