security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
74 Commits 1 Branch 0 Tags
4ffdc46ba7ed68ce75bcdb520272c81f2bf64c20
Commit Graph

6 Commits

Author SHA1 Message Date
Brent Murphy 01b1e8be26 [Rule Tuning] Update Tags for Cloud Rules (#99) 
* [Rule Tuning] Update Tags for Cloud Rules

* commenting out specifying alphabetical tag order in rule formatter

* Update rule_formatter.py

* py lint

* Lint fix comments

* update modified dates

* Update credential_access_secretsmanager_getsecretvalue.toml

* adding Continuous Monitoring tag

* update tags

* fixed and in tags

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-08-03 17:15:15 -04:00
Brent Murphy e08ff6c55d [Rule Tuning] Update Cloud rules with note field (#79) 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-07-21 12:27:42 -04:00
David French aaef4b99f4 [New Rule] Okta Brute Force or Password Spraying Attack (#66) 
* Create credential_access_okta_brute_force_or_password_spraying.toml

* Update maturity to production

* Update severity and risk score

* Aggregate by source.ip field

To ensure that investigate in timeline displays expected events

* Update false positive information

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Tweak false positive info

* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/okta/credential_access_okta_brute_force_or_password_spraying.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-07-20 12:44:59 -06:00
David French a98eca06d0 Add event.module value to Okta rules (#19) 2020-07-06 14:26:18 -06:00
David French f438a222d5 [New Rule] Attempt to Modify or Delete Okta Application Sign On Policy (#10) 
* Add okta rule for policy modification/delete

* Update rule name

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add event.module value to query

* Update okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Add event.category and event.type values to query

* Update rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-07-02 08:52:55 -06:00
Ross Wolf 5fcece8416 Populate rules/ directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-06-29 22:57:03 -06:00