security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41 Commits 1 Branch 0 Tags
3ee7aa3822f2039c8f57111ff3f05a8efb41df45
Commit Graph

15 Commits

Author SHA1 Message Date
Craig Chamberlain 94974c3895 Detect DeleteRule events with AWS WAF Deletion 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-07-07 15:44:11 -06:00
Craig Chamberlain ee82874c24 [New Rule] AWS Config Service Tampering 
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-07-07 15:43:22 -06:00
Justin Ibarra 95908c22a4 Improve ECS compatibility for endpoint rules 2020-07-07 15:41:23 -06:00
seth-goodwin cae5fee025 [New Rule] Add AWS Password Recovery Requested 2020-07-07 15:38:52 -06:00
Seth Goodwin 8052a1ea1f [New Rule] Add rule for AWS UpdateAssumeRolePolicy 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:38:18 -06:00
Craig Chamberlain a2a0b2bf0c [New Rule] AWS EC2 Snapshot Activity 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:10:06 -06:00
Seth Goodwin c1a1cf6854 [New Rule] AWS Root Login Without MFA 
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-07-07 15:07:17 -06:00
David French a98eca06d0 Add event.module value to Okta rules (#19) 2020-07-06 14:26:18 -06:00
David French 51fed4f537 Update defense_evasion_attempt_to_disable_iptables_or_firewall.toml (#11) 2020-07-02 11:31:19 -06:00
David French f438a222d5 [New Rule] Attempt to Modify or Delete Okta Application Sign On Policy (#10) 
* Add okta rule for policy modification/delete

* Update rule name

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add event.module value to query

* Update okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Add event.category and event.type values to query

* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-02 08:52:55 -06:00
Francesco Soncina 46a4008570 [Rule tuning] Fix evasion for disable iptables rule (#5) 2020-07-01 12:08:32 -06:00
Erkin Djindjiev 1fac018f10 Update MySQL port to 3306 not 3336 (#2) 2020-07-01 09:52:04 -06:00
Ross Wolf 975aa61bc0 Remove links to empty rules subfolders 2020-06-30 10:32:03 -06:00
Ross Wolf fb0d36941c Add documentation and update license notice 2020-06-29 23:21:16 -06:00
Ross Wolf 5fcece8416 Populate rules/ directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 22:57:03 -06:00