sigma-rules

Author	SHA1	Message	Date
Austin Songer	b090e60bd6	[New Rule] Azure Full Network Packet Capture Detected (#1420 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Create exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update exfiltration_azure_full_network_packet_capture_detected.toml * Update exfiltration_azure_full_network_packet_capture_detected.toml * Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `50501bb40f`)	2021-10-16 02:07:22 +00:00
Austin Songer	69dbb5f655	[New Rule] Azure Virtual Network Device Modified or Deleted (#1421 ) * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Delete defense_evasion_virtual_network_device_modified.toml * Create defense_evasion_virtual_network_device_modified.toml * Update defense_evasion_virtual_network_device_modified.toml * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update defense_evasion_virtual_network_device_modified.toml * Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml * fix description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `790586fb57`)	2021-10-15 19:12:07 +00:00
Austin Songer	af3571ea6e	[New Rule] Azure Kubernetes Pods Deleted (#1309 ) * Create impact_kubernetes_pod_deleted.toml * Update impact_kubernetes_pod_deleted.toml * Update * Update impact_kubernetes_pod_deleted.toml * quote value in query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `761df5fe84`)	2021-10-15 19:08:48 +00:00
Austin Songer	8f55556006	[New Rule] Azure Blob Permissions Modification (#1499 ) * Create defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update defense_evasion_azure_blob_permissions_modified.toml * Update description and query (spacing) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `7123d46623`)	2021-10-14 10:00:28 +00:00
Austin Songer	358585b2c1	[New Rule] Azure Kubernetes Events Deleted (#1307 ) * Create defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update defense_evasion_kubernetes_events_deleted.toml * Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Add quotes to azure query field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit `3d15c2072d`)	2021-10-14 09:58:32 +00:00
Austin Songer	09f49da822	[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393 ) (cherry picked from commit `d28c48f20f`)	2021-09-29 17:09:18 +00:00
Nic	20a814c47f	[Rule tuning] Azure Active Directory High Risk Sign-in (#1463 ) * Add Aggregated Risk Level * There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on. * An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types (cherry picked from commit `8b2c8c2e03`)	2021-08-30 22:34:47 +00:00
Ross Wolf	600acca704	[Fleet] Track integrations in folder and metadata (#1372 ) * Track integrations in folder and metadata * Remove duplicate entry * Update note and tests (cherry picked from commit `1882f4456c`)	2021-07-21 21:25:48 +00:00

8 Commits