sigma-rules

security-tools/sigma-rules

Fork 0

Commit Graph

Author	SHA1	Message	Date
Terrance DeJesus	deab1c0161	[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 ) * [Rule Tuning] Change event.dataset to data_stream.dataset * updating ESQL field names	2026-04-10 12:27:52 -04:00
Terrance DeJesus	cabf1c2a02	[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172 ) * Tuning azure and m365 rule names and file paths * addressing unit test failures * addressing unit test failures * Changed Frontdoor to Front Door * removed extra space in name * adjusted Microsoft 365 to M365 in rule name * Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml * Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml * Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml * Update rules/integrations/azure/persistence_automation_account_created.toml * Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml * Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml * Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml * Update rules/integrations/azure/persistence_automation_webhook_created.toml * Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml * Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml * Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml * Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml * Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml * Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fixed additional rule names * Update rule dates and investigation guide headers - Set updated_date to 2025/12/10 for all modified rules - Fix investigation guide headers to match actual rule names - Ensures compliance with test_rule_change_has_updated_date - Ensures compliance with test_investigation_guide_uses_rule_name 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * changed kibana alert rule name to rule ID --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>	2025-12-10 12:59:50 -05:00

Author

SHA1

Message

Date

Terrance DeJesus

deab1c0161

[Rule Tuning] Change event.dataset to data_stream.dataset (#5943 )

* [Rule Tuning] Change event.dataset to data_stream.dataset

* updating ESQL field names

2026-04-10 12:27:52 -04:00

Terrance DeJesus

cabf1c2a02

[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172 )

* Tuning azure and m365 rule names and file paths

* addressing unit test failures

* addressing unit test failures

* Changed Frontdoor to Front Door

* removed extra space in name

* adjusted Microsoft 365 to M365 in rule name

* Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

* Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml

* Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml

* Update rules/integrations/azure/persistence_automation_account_created.toml

* Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

* Update rules/integrations/azure/persistence_automation_webhook_created.toml

* Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml

* Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml

* Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml

* Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml

* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* fixed additional rule names

* Update rule dates and investigation guide headers

- Set updated_date to 2025/12/10 for all modified rules
- Fix investigation guide headers to match actual rule names
- Ensures compliance with test_rule_change_has_updated_date
- Ensures compliance with test_investigation_guide_uses_rule_name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* changed kibana alert rule name to rule ID

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>

2025-12-10 12:59:50 -05:00

2 Commits