security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
28a06fd25fbdff313d94d50be1291311df99cf5d
sigma-rules/rules/integrations/azure
T
History
Terrance DeJesus 3ed820afa8 [New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) (#4523) 
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'

* updating name

* added investigation guide

* updated investigation guide

* updated investigation guide

* removed unnecessary comment

* adjusted logic to count distinct on principal id; principal name will be in aggregations now

* updated Entra ID name
2025-03-11 11:25:10 -04:00
..
collection_update_event_hub_auth_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_azure_entra_totp_brute_force_attempts.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_azure_full_network_packet_capture_detected.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_entra_id_device_code_auth_with_broker_client.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_entra_password_spraying_non_interactive_sfa.toml
[New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) (#4523)
2025-03-11 11:25:10 -04:00
credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_entra_signin_brute_force_microsoft_365.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_first_time_seen_device_code_auth.toml
[Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol (#4466)
2025-02-20 10:29:04 -05:00
credential_access_key_vault_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_storage_account_key_regenerated.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_application_credential_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_automation_runbook_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_blob_permissions_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_diagnostic_settings_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_service_principal_addition.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_event_hub_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_firewall_policy_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_frontdoor_firewall_policy_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_kubernetes_events_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_network_watcher_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_suppression_rule_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_blob_container_access_mod.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_command_virtual_machine.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_azure_service_principal_credentials_added.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_kubernetes_pod_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_resource_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_virtual_network_device_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_azure_active_directory_high_risk_signin.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_azure_active_directory_powershell_signin.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_consent_grant_attack_via_azure_registered_application.toml
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283)
2024-12-06 17:27:38 -05:00
initial_access_entra_rare_app_id_for_principal_auth.toml
[New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication (#4524)
2025-03-11 11:05:56 -04:00
initial_access_entra_rare_authentication_requirement_for_principal_user.toml
[New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User (#4525)
2025-03-11 10:51:01 -04:00
initial_access_external_guest_user_invite.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_automation_account_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_automation_runbook_created_or_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_automation_webhook_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_conditional_access_policy_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_global_administrator_role_assigned.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_pim_user_added_global_admin.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_privileged_identity_management_role_modified.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_mfa_disabled_for_azure_user.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_user_added_as_owner_for_azure_application.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_user_added_as_owner_for_azure_service_principal.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_azure_kubernetes_rolebinding_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00