security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
409 Commits 1 Branch 0 Tags
6177458bd8ea65e01acecde9842a01ac1a472d08
Commit Graph

11 Commits

Author SHA1 Message Date
Ross Wolf a0ae05c78e Fix spelling of Continuous Monitoring (#795) 
* Fix spelling of Continuous Monitoring
* Update the updated_at date
* Happy new year
 2021-01-04 15:05:34 -07:00
Brent Murphy 627610401c [Rule Tuning] Update rules for new Fleet integrations (#729) 
* update azure indicies

* remove . in index to match prior cloud rules

* update o365 indicies

* add event.dataset:google_workspace.admin to existing google workspace rules

* gcp syntax

* add gcp index

* update gcp index

* update index patterns for google workspace rules

* update gcp index2

* update updated_date

* update event outcome for azure

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-18 12:23:12 -05:00
Brent Murphy 598e807a5c [New Rule] Microsoft 365 Teams Custom Application Interaction Allowed (#657) 
* [New Rule] O365 Teams Custom Application Interaction Allowed

* rebrand to m365, still needed non ecs schema

* Update non-ecs-schema.json
 2020-12-08 17:36:47 -05:00
Brent Murphy 73e2690ec0 [New Rule] Potential Password Spraying of Microsoft 365 User Accounts (#665) 
* [New Rule] Potential Password Spraying of O365 User Accounts

* Update credential_access_o365_potential_password_spraying_attack.toml

* rebrand to m365

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 17:19:39 -05:00
Brent Murphy d74b41c1a0 [New Rule] Microsoft 365 Teams External Access Enabled (#661) 
* [New Rule] O365 Teams External Access Enabled

* rebrand to m365, still needed non ecs schema

* update description

* remove non ecs change
 2020-12-08 16:48:15 -05:00
Brent Murphy 6bfe5d3dd8 [New Rule] Microsoft 365 Teams Guest Access Enabled (#601) 
* [New Rule] O365 Teams Guest Access Enabled

* rebrand to m365, still needed non ecs schema

* remove non ecs schma change
 2020-12-08 16:44:15 -05:00
Brent Murphy 6a296c64c5 [New Rule] Microsoft 365 Exchange DKIM Signing Configuration Disabled (#578) 
* [New Rule] O365 Exchange DKIM Signing Configuration Disabled

* rebrand to m365

* still req non ecs schema

* Remove the ECS override

* Update _flatten_schema logic

* Allow fields with * in the path

* Allow explicit fields to overwrite implicit * fields

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-08 16:38:00 -05:00
Brent Murphy 86b1a56c1b [New Rule] Attempts to Brute Force a Microsoft 365 User Account (#662) 
* [New Rule] Attempts to Brute Force an O365 User Account

* Update credential_access_o365_brute_force_user_account_attempt.toml

* rebrand to m365

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* update description
 2020-12-04 12:40:09 -05:00
Brent Murphy f23881f1b8 [New Rule] Microsoft 365 Exchange DLP Policy Removed (#600) 
* [New Rule] O365 Exchange DLP Policy Removed

* rebrand to m365

* update description
 2020-12-02 14:18:11 -05:00
Brent Murphy 427012ed32 [New Rule] Microsoft 365 Exchange Management Group Role Assignment (#599) 
* [New Rule] O365 Exchange Management Role Assignment

* Update persistence_o365_exchange_management_role_assignment.toml

* rebrand to m365
 2020-12-02 14:11:33 -05:00
Brent Murphy ec4cd98ce8 [Rule Tuning] Rebrand Office 365 to Microsoft 365 (#669) 2020-12-02 14:04:48 -05:00