sigma-rules

Author	SHA1	Message	Date
Justin Ibarra	6ef5c53b0c	Cleanup note field in rules (#1194 ) * standardize usage of note field	2021-05-10 13:40:56 -08:00
Brent Murphy	c64e700c56	[Rule Tuning] Update Cloud Rule Syntax (#1061 ) * update cloud syntax Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-04-14 10:49:28 -04:00
Justin Ibarra	0ef7d87b34	[Rule Tuning] Fix inconsistent rule indexes (#974 ) * [Rule Tuning] Fix inconsistent rule indexes * cleaned up tests that load rules to leverage setUpClass	2021-03-05 11:16:02 -09:00
Brent Murphy	3b7eedcc31	wrap azure operation name (#981 )	2021-03-04 17:50:19 -05:00
Justin Ibarra	3fc34b86f2	Update License to Elastic v2 (#944 )	2021-03-03 22:12:11 -09:00
Justin Ibarra	645a0cd67b	[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) * [Rule Tuning] Add timestamp_override field to rules * add tests for lookback and timestamp_override * fix dates and add test to ensure updated > creation	2021-02-17 19:49:58 -09:00
brokensound77	a77bd6178f	Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12 # Conflicts: # rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml	2021-02-17 14:11:50 -09:00
Justin Ibarra	90a9320f93	[Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951 ) * remove timestamp_override from endgame promotion rules * updated version.lock to previous state for endgame promotion rule changes * fix incorrect year in updated_date	2021-02-17 13:48:57 -09:00
brokensound77	6ce418877f	Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12 # Conflicts: # etc/version.lock.json # rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml # rules/cross-platform/impact_hosts_file_modified.toml # rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml # rules/cross-platform/privilege_escalation_sudoers_file_mod.toml # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml # rules/linux/defense_evasion_timestomp_touch.toml # rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml # rules/macos/credential_access_credentials_keychains.toml # rules/macos/credential_access_promt_for_pwd_via_osascript.toml # rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml # rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml # rules/promotions/external_alerts.toml # rules/windows/collection_email_powershell_exchange_mailbox.toml # rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml # rules/windows/collection_winrar_encryption.toml # rules/windows/command_and_control_common_webservices.toml # rules/windows/command_and_control_encrypted_channel_freesslcert.toml # rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml # rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml # rules/windows/command_and_control_teamviewer_remote_file_copy.toml # rules/windows/credential_access_cmdline_dump_tool.toml # rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml # rules/windows/credential_access_credential_dumping_msbuild.toml # rules/windows/credential_access_domain_backup_dpapi_private_keys.toml # rules/windows/credential_access_dump_registry_hives.toml # rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml # rules/windows/credential_access_iis_connectionstrings_dumping.toml # rules/windows/credential_access_kerberoasting_unusual_process.toml # rules/windows/credential_access_lsass_memdump_file_created.toml # rules/windows/credential_access_mimikatz_memssp_default_logs.toml # rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml # rules/windows/defense_evasion_clearing_windows_event_logs.toml # rules/windows/defense_evasion_code_injection_conhost.toml # rules/windows/defense_evasion_cve_2020_0601.toml # rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml # rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml # rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml # rules/windows/defense_evasion_dotnet_compiler_parent_process.toml # rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml # rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml # rules/windows/defense_evasion_execution_lolbas_wuauclt.toml # rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml # rules/windows/defense_evasion_execution_msbuild_started_by_script.toml # rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml # rules/windows/defense_evasion_execution_msbuild_started_renamed.toml # rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml # rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml # rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml # rules/windows/defense_evasion_hide_encoded_executable_registry.toml # rules/windows/defense_evasion_iis_httplogging_disabled.toml # rules/windows/defense_evasion_injection_msbuild.toml # rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml # rules/windows/defense_evasion_masquerading_renamed_autoit.toml # rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml # rules/windows/defense_evasion_masquerading_trusted_directory.toml # rules/windows/defense_evasion_modification_of_boot_config.toml # rules/windows/defense_evasion_port_forwarding_added_registry.toml # rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml # rules/windows/defense_evasion_sdelete_like_filename_rename.toml # rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml # rules/windows/defense_evasion_suspicious_managedcode_host_process.toml # rules/windows/defense_evasion_suspicious_zoom_child_process.toml # rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml # rules/windows/defense_evasion_unusual_dir_ads.toml # rules/windows/defense_evasion_unusual_system_vp_child_program.toml # rules/windows/defense_evasion_via_filter_manager.toml # rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml # rules/windows/discovery_adfind_command_activity.toml # rules/windows/discovery_admin_recon.toml # rules/windows/discovery_file_dir_discovery.toml # rules/windows/discovery_net_command_system_account.toml # rules/windows/discovery_net_view.toml # rules/windows/discovery_peripheral_device.toml # rules/windows/discovery_process_discovery_via_tasklist_command.toml # rules/windows/discovery_query_registry_via_reg.toml # rules/windows/discovery_remote_system_discovery_commands_windows.toml # rules/windows/discovery_security_software_wmic.toml # rules/windows/discovery_whoami_command_activity.toml # rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml # rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml # rules/windows/execution_command_shell_started_by_powershell.toml # rules/windows/execution_command_shell_started_by_svchost.toml # rules/windows/execution_command_shell_started_by_unusual_process.toml # rules/windows/execution_command_shell_via_rundll32.toml # rules/windows/execution_from_unusual_directory.toml # rules/windows/execution_from_unusual_path_cmdline.toml # rules/windows/execution_shared_modules_local_sxs_dll.toml # rules/windows/execution_suspicious_cmd_wmi.toml # rules/windows/execution_suspicious_image_load_wmi_ms_office.toml # rules/windows/execution_suspicious_pdf_reader.toml # rules/windows/execution_suspicious_powershell_imgload.toml # rules/windows/execution_suspicious_psexesvc.toml # rules/windows/execution_suspicious_short_program_name.toml # rules/windows/execution_via_compiled_html_file.toml # rules/windows/execution_via_hidden_shell_conhost.toml # rules/windows/execution_via_net_com_assemblies.toml # rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml # rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml # rules/windows/initial_access_script_executing_powershell.toml # rules/windows/initial_access_suspicious_ms_office_child_process.toml # rules/windows/initial_access_suspicious_ms_outlook_child_process.toml # rules/windows/initial_access_unusual_dns_service_children.toml # rules/windows/initial_access_unusual_dns_service_file_writes.toml # rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml # rules/windows/lateral_movement_execution_from_tsclient_mup.toml # rules/windows/lateral_movement_local_service_commands.toml # rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml # rules/windows/lateral_movement_rdp_enabled_registry.toml # rules/windows/lateral_movement_rdp_tunnel_plink.toml # rules/windows/lateral_movement_remote_file_copy_hidden_share.toml # rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml # rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml # rules/windows/persistence_adobe_hijack_persistence.toml # rules/windows/persistence_appcertdlls_registry.toml # rules/windows/persistence_appinitdlls_registry.toml # rules/windows/persistence_evasion_registry_ifeo_injection.toml # rules/windows/persistence_gpo_schtask_service_creation.toml # rules/windows/persistence_local_scheduled_task_commands.toml # rules/windows/persistence_ms_office_addins_file.toml # rules/windows/persistence_ms_outlook_vba_template.toml # rules/windows/persistence_priv_escalation_via_accessibility_features.toml # rules/windows/persistence_registry_uncommon.toml # rules/windows/persistence_run_key_and_startup_broad.toml # rules/windows/persistence_services_registry.toml # rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml # rules/windows/persistence_startup_folder_scripts.toml # rules/windows/persistence_suspicious_com_hijack_registry.toml # rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml # rules/windows/persistence_suspicious_scheduled_task_runtime.toml # rules/windows/persistence_suspicious_service_created_registry.toml # rules/windows/persistence_system_shells_via_services.toml # rules/windows/persistence_user_account_creation.toml # rules/windows/persistence_via_application_shimming.toml # rules/windows/persistence_via_hidden_run_key_valuename.toml # rules/windows/persistence_via_lsa_security_support_provider_registry.toml # rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml # rules/windows/persistence_via_update_orchestrator_service_hijack.toml # rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml # rules/windows/privilege_escalation_named_pipe_impersonation.toml # rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml # rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml # rules/windows/privilege_escalation_rogue_windir_environment_var.toml # rules/windows/privilege_escalation_uac_bypass_com_clipup.toml # rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml # rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml # rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml # rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml # rules/windows/privilege_escalation_uac_bypass_event_viewer.toml # rules/windows/privilege_escalation_uac_bypass_mock_windir.toml # rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml # rules/windows/privilege_escalation_unusual_parentchild_relationship.toml # rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml	2021-02-17 12:18:06 -09:00
Justin Ibarra	61deed3fd2	[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948 ) * [Rule Tuning] Add timestamp_override field to 7.11.0 rules * Lock versions for 7.11.2 rules	2021-02-16 10:52:48 -09:00
brokensound77	bf32dec5a4	Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main # Conflicts: # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml	2021-01-28 10:41:39 -09:00
Brent Murphy	aa409111b8	[New Rule] Azure Active Directory High Risk Sign-in (#790 ) * [New Rule] Azure Active Directory High Risk Sign-in * Update initial_access_azure_active_directory_high_risk_signin.toml	2021-01-25 13:27:06 -05:00
Justin Ibarra	c1a0438f45	[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) * replaced/removed all revoked/deprecated techniques * tests will fail on revoked (changed) techniques * tests will fail on deprecated techniques * tests will fail when techniques are mapped to an invalid tactic	2020-12-18 12:46:16 -09:00
Brent Murphy	627610401c	[Rule Tuning] Update rules for new Fleet integrations (#729 ) * update azure indicies * remove . in index to match prior cloud rules * update o365 indicies * add event.dataset:google_workspace.admin to existing google workspace rules * gcp syntax * add gcp index * update gcp index * update index patterns for google workspace rules * update gcp index2 * update updated_date * update event outcome for azure Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-18 12:23:12 -05:00
Brent Murphy	c5cae5c437	[New Rule] Azure Active Directory PowerShell Sign-in (#718 ) * Create initial_access_azure_active_directory_powershell_signon.toml * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update initial_access_azure_active_directory_powershell_signin.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-15 11:52:43 -05:00
Brent Murphy	6b31b96bf8	[New Rule] Azure Service Principal Addition (#717 ) * Create defense_evasion_azure_service_principal_addition.toml * Update defense_evasion_azure_service_principal_addition.toml * Update rules/azure/defense_evasion_azure_service_principal_addition.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_azure_service_principal_addition.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-15 11:47:23 -05:00
Brent Murphy	84ab3db48c	[New Rule] Azure Application Credential Modification (#716 ) * Create defense_evasion_azure_application_credential_modification.toml * Update rules/azure/defense_evasion_azure_application_credential_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-15 11:41:26 -05:00
David French	b8d2f6fc96	[Rule Tuning] Possible Consent Grant Attack via Azure-Registered Application (#575 ) * Update initial_access_consent_grant_attack_via_azure_registered_application.toml * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 17:20:30 -07:00
Justin Ibarra	97ee8cc9ac	Refresh beats and ecs schemas and default to use latest to validate (#570 ) * Refresh beats and ecs schemas and default to use latest to validate * remove incorrect ecs_version from zoom rule * remove stale ecs_version from rules	2020-12-01 13:24:20 -09:00
Derek Ditch	580db2c13e	Add timeline_id to detection rules (#95 ) * Adds timeline_id to all network rules - Uses the ID for the 'Generic Network Timeline' from Elastic * Adds timeline_id to all endpoint rules - Uses the ID for the 'Generic Endpoint Timeline' from Elastic * Adds timeline_id to all process-oriented rules - Uses the ID for the 'Generic Process Timeline' from Elastic * Ran tests and toml-lint * Bumped 'updated_date'	2020-10-27 13:34:16 -05:00
seth-goodwin	2065af89b1	[Rule Tuning] Tag Categorization Updates (#380 ) * Add new categorization tags * Change updated_date to 2020/10/26 Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100	2020-10-26 13:50:45 -05:00
Justin Ibarra	d3226c72c9	Add test for tactic in rule filename (#398 )	2020-10-20 14:48:33 -08:00
Justin Ibarra	a212008f8c	[Rule Tuning] Remove event.module from rules for compatibility with agent integrations (#342 )	2020-09-30 09:41:33 -08:00
Brent Murphy	7857787328	[New Rule] Azure Global Administrator Role Addition to PIM User (#336 ) * Create persistence_azure_pim_user_added_global_admin.toml * tweak syntax for readability * Update additional rule name to match others naming convention * Delete defense_evasion_azure_diagnostic_settings_deletion.toml * tweak rule name * Update rules/azure/persistence_azure_pim_user_added_global_admin.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/azure/persistence_azure_pim_user_added_global_admin.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update description and lint * small naming tweak for consistency Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-28 10:45:59 -04:00
Brent Murphy	95877f7879	[Rule Tuning] Update event.category for Azure rules (#335 ) * update event.category for azure rules * update updated_date field * update name to include Azure * Update persistence_user_added_as_owner_for_azure_service_principal.toml	2020-09-24 12:45:25 -04:00
Justin Ibarra	065bcd8018	Refresh ATT&CK data to v7.2 and expand threat validation (#330 ) * refresh to latest ATT&CK 7.2 * add new unit test to further validate threat mappings * updated threat mappings in rules to reflect changes * new func to download and refresh mitre data based on version	2020-09-23 22:03:29 -08:00
David French	cedb2e1289	[New Rule] Azure Conditional Access Policy Modified (#237 ) * new-rule-azure-conditional-access-policy-modified * Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml Update maturity to production Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml * Update query to include result value * Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml * Update query to search both the Azure audit logs and activity logs * Optimize formatting of query * Tweak consent grant attack rule Amending the query in rule, "Possible Consent Grant Attack via Azure-Registered Application" to search both the Azure activity and audit logs * Tweak formatting of query to improve Brent's happiness level Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-22 09:28:32 -06:00
David French	11145ffb7f	[New Rule] Possible Consent Grant Attack via Azure-Registered Application (#236 ) * new-rule-illicit-consent-grant-attack * Update initial_access_consent_grant_attack_via_azure_registered_application.toml Move detailed info and investigation notes to notes field * Update query to include result field * Update rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml	2020-09-22 08:30:34 -06:00
Brent Murphy	140091e7b8	[New Rule] Azure Storage Account Key Regenerated (#188 ) * Create credential_access_storage_account_key_regenerated.toml * Update rules/azure/credential_access_storage_account_key_regenerated.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update credential_access_storage_account_key_regenerated.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 14:08:48 -04:00
Brent Murphy	040f56ff0c	[New Rule] Azure Network Watcher Deletion (#232 )	2020-09-04 12:18:18 -04:00
Brent Murphy	21431101b7	[New Rule] Azure External Guest User Invitation (#231 ) * Create initial_access_external_guest_user_invite.toml * Update rules/azure/initial_access_external_guest_user_invite.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * update mitre metadata * lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 12:11:13 -04:00
Brent Murphy	0fc78b3c3b	[New Rule] Azure Key Vault Modified (#230 ) * [New Rule] Azure Update to Key Vault * Update rules/azure/credential_access_key_vault_update.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update credential_access_key_vault_modified.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-04 11:30:01 -04:00
Brent Murphy	e49b69af10	[New Rule] Azure Blob Container Access Level Modification (#192 ) * Create discovery_blob_container_access_mod.toml * Update rules/azure/discovery_blob_container_access_mod.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint * Update rules/azure/discovery_blob_container_access_mod.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 10:48:21 -04:00
David French	230b59dfc9	rule-tuning-user-added-as-owner-for-azure-service-principal (#258 )	2020-09-04 08:36:20 -06:00
Brent Murphy	bcd698add2	[New Rule] Azure Event Hub Deletion (#170 ) * Create defense_evasion_event_hub_deletion.toml * Update rules/azure/defense_evasion_event_hub_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/azure/defense_evasion_event_hub_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 10:23:43 -04:00
Brent Murphy	a49d102de3	[New Rule] Azure Event Hub Authorization Rule Created or Updated (#173 ) * Create collection_update_event_hub_auth_rule.toml * Update rules/azure/collection_update_event_hub_auth_rule.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/collection_update_event_hub_auth_rule.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-04 09:32:30 -04:00
Brent Murphy	0ac7f3d672	[New Rule] Azure Firewall Policy Deletion (#169 ) * Create defense_evasion_firewall_policy_deletion.toml * Update rules/azure/defense_evasion_firewall_policy_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-04 09:28:58 -04:00
Brent Murphy	9025a7d183	[New Rule] Azure Diagnostic Settings Deletion (#157 ) * Create azure_diagnostic_settings_deletion.toml * Update azure_diagnostic_settings_deletion.toml	2020-09-04 09:20:13 -04:00
Brent Murphy	b4a15960cb	[New Rule] Azure Command Execution on Virtual Machine (#155 ) * Create execution_command_virtual_machine.toml * Update execution_command_virtual_machine.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-03 17:09:40 -04:00
Brent Murphy	6b04105936	[New Rule] Azure Resource Group Deletion (#158 ) * Create impact_resource_group_deletion.toml * Update rules/azure/impact_resource_group_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-03 17:06:43 -04:00
David French	1f555c289f	[New Rule] Azure Privileged Identity Management Role Modified (#238 ) * new-rule-azure-pim-role-modified * Add ATT&CK metadata to rule * Update rules/azure/defense_evasion_azure_privileged_identity_management_role_modified.toml	2020-09-03 15:02:14 -06:00
David French	89db7384a0	[New Rule] Azure Automation Runbook Deleted (#235 ) * new-rule-azure-automation-runbook-deleted * Update rules/azure/impact_azure_automation_runbook_deleted.toml Fix typo in rule description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/impact_azure_automation_runbook_deleted.toml Remove superfluous parens from query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-03 13:09:40 -06:00
David French	225aba61c9	[New Rule] Multi-Factor Authentication Disabled for an Azure User (#195 ) * new-rule-mfa-disabled-for-an-azure-user * Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml Update ECS version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_mfa_disabled_for_azure_user.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-03 12:42:27 -06:00
David French	43204391b6	[New Rule] User Added as Owner for Azure Service Principal (#194 ) * new-rule-user-added-as-owner-for-azure-service-principal * Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml Add parens to query Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml Update ECS version Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 12:21:44 -06:00
David French	43f657ac4e	[New Rule] User Added as Owner for Azure Application (#191 ) * new-rule-user-added-as-owner-for-azure-application * Update rule name and description * Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml Update query to remove superfluous quotes Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_user_added_as_owner_for_azure_application.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Add ATT&CK metadata to rule Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 12:15:33 -06:00
David French	4c431d2408	[New Rule] Azure Automation Webhook Created (#179 ) * new-rule-azure-automation-webhook-created * Update rules/azure/persistence_azure_automation_webhook_created.toml Update description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/persistence_azure_automation_webhook_created.toml Update ecs_version Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 11:20:50 -06:00
David French	98f216404a	[New Rule] Azure Automation Runbook Created or Modified (#178 ) * new-rule-azure-automation-runbook-created-or-modified * Update rules/azure/persistence_azure_automation_runbook_created_or_modified.toml Update ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-09-03 11:16:42 -06:00
David French	85e799b378	[New Rule] Azure Automation Account Created (#177 ) * new-rule-azure-automation-account-created * Fix rule name format 😄 * Update rules/azure/persistence_azure_automation_account_created.toml Update maturity to production * Update rules/azure/persistence_azure_automation_account_created.toml Update ecs_version to 1.6.0 Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-09-03 11:08:38 -06:00

48 Commits