sigma-rules

Author	SHA1	Message	Date
Brent Murphy	01b1e8be26	[Rule Tuning] Update Tags for Cloud Rules (#99 ) * [Rule Tuning] Update Tags for Cloud Rules * commenting out specifying alphabetical tag order in rule formatter * Update rule_formatter.py * py lint * Lint fix comments * update modified dates * Update credential_access_secretsmanager_getsecretvalue.toml * adding Continuous Monitoring tag * update tags * fixed and in tags Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-08-03 17:15:15 -04:00
Ross Wolf	978a8d9df8	[Bug] Set threshold.field to empty string instead of null (#87 )	2020-07-22 19:31:09 -04:00
Brent Murphy	e08ff6c55d	[Rule Tuning] Update Cloud rules with note field (#79 ) Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-07-21 12:27:42 -04:00
David French	4784342723	[New Rule] AWS IAM Brute Force of Assume Role Policy (#67 ) * Create credential_access_aws_iam_assume_role_brute_force.toml * Update maturity to production * Update formatting for query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rule name * Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rule description Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update note field in rule ... to inform users that AWS Filebeat module must be enabled to use this rule. Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * lint rule * Update rules/aws/credential_access_aws_iam_assume_role_brute_force.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-07-20 12:43:26 -06:00
Samirbous	676be30199	[New rule] AWS Secrets Manager and System Manager Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-07-08 12:48:04 -06:00
Seth Goodwin	c577426510	Update Lookback Interval for AWS Rules	2020-07-08 08:50:01 -06:00
Ross Wolf	316be47e27	Rename AWS to aws	2020-07-08 08:43:30 -06:00
Craig Chamberlain	94974c3895	Detect DeleteRule events with AWS WAF Deletion Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>	2020-07-07 15:44:11 -06:00
Craig Chamberlain	ee82874c24	[New Rule] AWS Config Service Tampering Co-authored-by: Derek Ditch <dcode@users.noreply.github.com> Co-authored-by: Seth Goodwin <58222969+seth-goodwin@users.noreply.github.com>	2020-07-07 15:43:22 -06:00
seth-goodwin	cae5fee025	[New Rule] Add AWS Password Recovery Requested	2020-07-07 15:38:52 -06:00
Seth Goodwin	8052a1ea1f	[New Rule] Add rule for AWS UpdateAssumeRolePolicy Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-07-07 15:38:18 -06:00
Seth Goodwin	c1a1cf6854	[New Rule] AWS Root Login Without MFA Co-authored-by: Derek Ditch <dcode@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-07-07 15:07:17 -06:00
Ross Wolf	5fcece8416	Populate rules/ directory. Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com> Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com> Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com> Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-06-29 22:57:03 -06:00

13 Commits