sigma-rules

Author	SHA1	Message	Date
Derek Ditch	580db2c13e	Add timeline_id to detection rules (#95 ) * Adds timeline_id to all network rules - Uses the ID for the 'Generic Network Timeline' from Elastic * Adds timeline_id to all endpoint rules - Uses the ID for the 'Generic Endpoint Timeline' from Elastic * Adds timeline_id to all process-oriented rules - Uses the ID for the 'Generic Process Timeline' from Elastic * Ran tests and toml-lint * Bumped 'updated_date'	2020-10-27 13:34:16 -05:00
seth-goodwin	2065af89b1	[Rule Tuning] Tag Categorization Updates (#380 ) * Add new categorization tags * Change updated_date to 2020/10/26 Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100	2020-10-26 13:50:45 -05:00
Brent Murphy	2e422f7159	[Rule Tuning] Minor Rule Tweaks for 7.10 (#400 ) * Tweak Rules for 7.10 * Add endpoint index for packetbeat rules * update unit test to account for Network tag as well * update modified date, add endpoint tag * use Host instead of Endpoint * Update packaging.py * add v back to changelog url * Add "tag" comment to get_markdown_rule_info Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-10-22 09:07:04 -04:00
Justin Ibarra	0a992d716a	[Rule Tuning] Update EQL rules for 7.10 (#399 ) * update syntax to reflect eql changes * use more case-insensitivity * comment out missing fields for winlogbeat compatibility	2020-10-21 12:35:18 -08:00
Justin Ibarra	fd2d36573d	Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364 )	2020-10-20 15:22:02 -08:00
Justin Ibarra	d3226c72c9	Add test for tactic in rule filename (#398 )	2020-10-20 14:48:33 -08:00
Justin Ibarra	758e4a2c5b	Add unit tests for rule tags (#359 )	2020-10-07 19:29:19 -08:00
Kevin Logan	f34c96f4dc	[Rule Tuning][SECURITY_SOLUTION] rename Endpoint security (#355 )	2020-10-05 09:55:15 -08:00
Andrew Pease	0b745c5492	[New Rule] Zoom Meeting with no Passcode (#292 )	2020-09-30 21:44:45 -08:00
Justin Ibarra	bf202b6b6c	[New Rule] Initial converted EQL rules (#304 ) * 18 converted eql rules (not all prod)	2020-09-30 21:40:55 -08:00
Justin Ibarra	2460333595	[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351 )	2020-09-30 16:16:04 -08:00
Samirbous	d094c76534	[New Rule] Suspicious Zoom ChildProcess (#245 )	2020-09-30 15:46:33 -08:00
Andrew Pease	5ba848552a	[New Rule] Post Exploitation Public IP Reconnaissance (#270 )	2020-09-30 15:36:22 -08:00
Andrew Pease	e753162fe2	[New Rule] Detecting Unsecure Elasticsearch Nodes (#109 )	2020-09-30 15:34:38 -08:00
Andrew Pease	1a260536d4	[New Rule] RAR and PowerShell Downloaded from the Internet (#30 )	2020-09-30 15:32:44 -08:00
Andrew Pease	faeac00465	[New Rule] Possible FIN7 Command and Control Behavior (#28 )	2020-09-30 15:26:13 -08:00
Andrew Pease	d68e4ac7f0	[New Rule] Hosts File Modified (#25 )	2020-09-30 15:24:07 -08:00
Andrew Pease	1620559f1f	[New Rule] Halfbaked C2 Beacon (#23 )	2020-09-30 15:21:33 -08:00
Andrew Pease	8caf897a73	[New Rule] Cobalt Strike Beacon (#21 )	2020-09-30 14:58:24 -08:00
Brent Murphy	83fb9bdf93	[Rule Tuning] Update event.code to category (#349 )	2020-09-30 14:34:58 -08:00
Samirbous	cbf465ba01	[New Rule] Kerberos dump using kcc command (#139 ) * [New Rule] Kerberos dump using kcc command * Delete .gitignore * Delete vcs.xml * Delete profiles_settings.xml * Delete misc.xml * Delete rules.iml * Delete modules.xml * Update credential_access_kerberosdump_kcc.toml * Update rules/macos/credential_access_kerberosdump_kcc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/credential_access_kerberosdump_kcc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update credential_access_kerberosdump_kcc.toml * Update rules/macos/credential_access_kerberosdump_kcc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/credential_access_kerberosdump_kcc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/credential_access_kerberosdump_kcc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/credential_access_kerberosdump_kcc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_kerberosdump_kcc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_kerberosdump_kcc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update credential_access_kerberosdump_kcc.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-30 23:03:44 +02:00
Justin Ibarra	a212008f8c	[Rule Tuning] Remove event.module from rules for compatibility with agent integrations (#342 )	2020-09-30 09:41:33 -08:00
Samirbous	f15d179a50	[New Rule]- Credential Access - Domain DPAPI Backup key (#125 ) * new rule - credential access Domain Backup DPAPI Private Keys Access * Update credential_access_domain_backup_dpapi_private_keys.toml * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Linted * added an extra reference * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-29 21:14:07 +02:00
Samirbous	c6519a2474	[New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity (#146 ) * [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity Same rule will detect exploitation behavior of CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 * Update privilege_escalation_printspooler_service_suspicious_file.toml * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Added references and changed file name to extension as it was closed as bug issue by endpoint dev team * Update privilege_escalation_printspooler_service_suspicious_file.toml * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 21:11:43 +02:00
Samirbous	cccd91bc1a	[New Rule] - Persistence via Update Orchestrator Service Hijack (#152 ) * [New Rule] - Persistence via Update Orchestrator Service Hijack * Update persistence_via_update_orchestrator_service_hijack.toml * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-29 18:53:05 +02:00
Samirbous	3ec2d92b42	[New Rule] - Potential Secure File Deletion using SDelete utility (#162 ) * [New Rule] - Potential Secure File Deletion using SDelete utility * Update defense_evasion_sdelete_like_filename_rename.toml * Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update defense_evasion_sdelete_like_filename_rename.toml * Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * linted Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 18:46:29 +02:00
Samirbous	206d666e7e	[New Rule] Microsoft IIS Connection Strings Decryption (#165 ) * [New Rule] Microsoft IIS Connection Strings Decryption" * Update credential_access_iis_connectionstrings_dumping.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Linted * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 11:45:41 +02:00
Samirbous	a679207413	[New Rule] - Defense Evasion IIS HttpLogging Disabled (#142 ) * [New Rule] - Defense Evasion II HttpLogging Disabled * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Linted * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 11:39:04 +02:00
Samirbous	53484de986	[New Rule] - Creation of a new GPO Scheduled Task or Service (#126 ) * [New Rule] - Creation of a new GPO Scheduled Task or Service * Update lateral_movement_gpo_schtask_service_creation.toml * Update lateral_movement_gpo_schtask_service_creation.toml * Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update lateral_movement_gpo_schtask_service_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-29 10:54:24 +02:00
Samirbous	269925ae2e	[New Rule] - MacOS Keychains compression (#136 ) * macOS Keychains compression * Update exfiltration_compress_credentials_keychains.toml * Update exfiltration_compress_credentials_keychains.toml * Update exfiltration_compress_credentials_keychains.toml * Update rules/macos/exfiltration_compress_credentials_keychains.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/exfiltration_compress_credentials_keychains.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/exfiltration_compress_credentials_keychains.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update exfiltration_compress_credentials_keychains.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-29 10:23:43 +02:00
Samirbous	60adbbbb70	[New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created (#148 ) * [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created * Update privilege_escalation_printspooler_suspicious_spl_file.toml * added ref and changed verb and replaced file.name with file.extension * Update privilege_escalation_printspooler_suspicious_spl_file.toml * Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Linted and fixed tacttic to privesc * Linted * ref * Update privilege_escalation_printspooler_suspicious_spl_file.toml * Lint rule * Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-29 10:17:36 +02:00
Samirbous	fc3dcdf133	[New Rule] Unusual CommandShell Parent Process (#202 ) * [New Rule] Suspicious CommandShell Parent Process * toml linted * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml * Update rules/windows/execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update execution_command_shell_started_by_unusual_process.toml * Update execution_command_shell_started_by_unusual_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-28 23:15:26 +02:00
Craig Chamberlain	a7dee682cc	Add Tags to Unusual Sudo Activity Rule (#340 ) * Update ml_linux_anomalous_sudo_activity.toml added T1548 * Update ml_linux_anomalous_sudo_activity.toml * Update ml_linux_anomalous_sudo_activity.toml	2020-09-28 16:07:41 -04:00
Brent Murphy	8a5e0dd441	[New Rule] AWS Management Console Attempted Root Login Brute Force (#88 ) * Create initial_access_root_console_failure_brute_force.toml * bumping threshold value to 10 * Update rules/aws/initial_access_root_console_failure_brute_force.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/aws/initial_access_root_console_failure_brute_force.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update initial_access_root_console_failure_brute_force.toml * Update rules/aws/initial_access_root_console_failure_brute_force.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update initial_access_root_console_failure_brute_force.toml * update with FP info * update threshold field Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-28 13:37:22 -04:00
Craig Chamberlain	0affb48b07	[New Rule] Unusual User Calling the Metadata Service [Linux] (#327 ) * Create ml_linux_anomalous_metadata_user.toml rule create * Update rules/ml/ml_linux_anomalous_metadata_user.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update ml_linux_anomalous_metadata_user.toml * Update ml_linux_anomalous_metadata_user.toml * Update rules/ml/ml_linux_anomalous_metadata_user.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-28 12:13:06 -04:00
Craig Chamberlain	746c175669	[New Rule] Unusual User Calling the Metadata Service [Windows] (#328 ) * Create ml_windows_anomalous_metadata_user.toml * Update ml_windows_anomalous_metadata_user.toml * Update rules/ml/ml_windows_anomalous_metadata_user.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update ml_windows_anomalous_metadata_user.toml * Update rules/ml/ml_windows_anomalous_metadata_user.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-28 12:09:14 -04:00
Brent Murphy	7857787328	[New Rule] Azure Global Administrator Role Addition to PIM User (#336 ) * Create persistence_azure_pim_user_added_global_admin.toml * tweak syntax for readability * Update additional rule name to match others naming convention * Delete defense_evasion_azure_diagnostic_settings_deletion.toml * tweak rule name * Update rules/azure/persistence_azure_pim_user_added_global_admin.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/azure/persistence_azure_pim_user_added_global_admin.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update description and lint * small naming tweak for consistency Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-28 10:45:59 -04:00
Justin Ibarra	3c0d982d8f	[Rule Tuning] Mknod Process Activity (#276 )	2020-09-24 13:27:16 -08:00
Brent Murphy	652b2c5e44	[New Rule] GCP Logging Sink Deletion (#306 ) * Create gcp_logging_sink_deletion.toml * update description * update rule name	2020-09-24 17:19:27 -04:00
Craig Chamberlain	4473f6d8f3	[New Rule] Unusual Sudo Activity (#263 ) * Create ml_linux_anomalous_sudo_activity.toml rule to accompany the unusual sudo activity job * Update ml_linux_anomalous_sudo_activity.toml added fp field * Update ml_linux_anomalous_sudo_activity.toml * Update ml_linux_anomalous_sudo_activity.toml linting * Update ml_linux_anomalous_sudo_activity.toml * Update ml_linux_anomalous_sudo_activity.toml * Update rules/ml/ml_linux_anomalous_sudo_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update ml_linux_anomalous_sudo_activity.toml * Update ml_linux_anomalous_sudo_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-24 14:55:33 -04:00
Brent Murphy	17e3d83b29	[New Rule] GCP Pub/Sub Subscription Deletion (#334 ) * Create gcp_pub_sub_subscription_deletion.toml * update rule name with mitre tactic	2020-09-24 13:21:28 -04:00
Brent Murphy	367d870654	[New Rule] GCP Logging Bucket Deletion (#308 ) * Create gcp_logging_bucket_deletion.toml * update rule name with mitre tactic	2020-09-24 13:14:18 -04:00
Brent Murphy	21d19863e2	[New Rule] GCP Pub/Sub Topic Deletion (#307 ) * Create gcp_pub_sub_topic_deletion.toml * Update rules/gcp/gcp_pub_sub_topic_deletion.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * linting * update rule name with mitre tactic * correct spelling error in rule Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-24 13:09:50 -04:00
Brent Murphy	95877f7879	[Rule Tuning] Update event.category for Azure rules (#335 ) * update event.category for azure rules * update updated_date field * update name to include Azure * Update persistence_user_added_as_owner_for_azure_service_principal.toml	2020-09-24 12:45:25 -04:00
Brent Murphy	e34a969cd3	Create collection_gcp_pub_sub_subscription_creation.toml (#332 )	2020-09-24 12:08:49 -04:00
David French	bd2ec8a194	[New Rule] GCP Virtual Private Cloud Route Created (#326 ) * [New Rule] GCP Virtual Private Cloud Route Created * Update rule name to align with other rules Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-24 09:47:21 -06:00
David French	df19db4f67	[New Rule] GCP Virtual Private Cloud Network Deleted (#325 ) * [New Rule] GCP Virtual Private Cloud Network Deleted * Update rule name to align with other rules Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-24 09:44:48 -06:00
David French	de85f483a4	[New Rule] GCP Virtual Private Cloud Route Deleted (#324 ) * [New Rule] GCP Virtual Private Cloud Route Deleted * Update rule name to align with other rules Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-24 09:31:48 -06:00
David French	de6f326c72	[New Rule] GCP Storage Bucket Configuration Modified (#322 ) * Create defense_evasion_gcp_storage_bucket_configuration_modified.toml * Update rule name to align with other rules Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-24 09:29:53 -06:00
David French	01c904f2dd	[New Rule] GCP Firewall Rule Created (#312 ) * new-rule-gcp-firewall-rule-created * Add FP info to rule * Add ATT&CK metadata * Update name to align with other rules Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-24 09:27:41 -06:00

1 2 3 4

165 Commits