security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7bd2e2911cd020b2248c4acff0f4b4a7d7fed769
sigma-rules/rules/integrations/azure
T
History
Terrance DeJesus 937a7a35e6 [New Rule] Azure Arc Kubernetes Cluster Connect Abuse (#5824) 
* [New Rule] Azure Arc Kubernetes Cluster Connect Abuse
Fixes #5823

* rename, adjusted query

* adding KEEP *

* adjusting maturity

* added to non-ecs schema

* updating rule

* addressing unit test failures

* adjustments to logic, mitre mappings, unit test failures, etc.

* Update rules/integrations/azure/initial_access_azure_arc_cluster_credential_access_unusual_source.toml

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2026-03-17 11:06:47 -04:00
..
collection_azure_storage_account_blob_public_access_enabled.toml
[New Rule] Azure Storage Account Blob Public Access Enabled (#5139)
2025-10-06 09:15:07 -04:00
collection_entra_id_sharepoint_access_from_unusual_application.toml
[Rule Tuning] Entra ID SharePoint Accessed by Unusual User and Microsoft Authentication Broker Client (#5681)
2026-02-19 10:09:15 -05:00
collection_graph_email_access_by_unusual_public_client_via_graph.toml
[New Rule] ConsentFix Detections (#5485)
2026-01-12 08:45:50 -05:00
credential_access_azure_entra_susp_device_code_signin.toml
[Rule Tuning] Entra ID OAuth Device Code Flow with Concurrent Sign-ins (#5594)
2026-01-23 16:25:51 -05:00
credential_access_azure_service_principal_signin_then_arc_credential_listing.toml
[New Rule] Azure Arc Kubernetes Cluster Connect Abuse (#5824)
2026-03-17 11:06:47 -04:00
credential_access_azure_storage_account_keys_accessed.toml
[New Rule] Azure Storage Account Keys Accessed by Privileged User (#5141)
2025-09-29 12:20:31 -04:00
credential_access_entra_id_brute_force_activity.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
credential_access_entra_id_excessive_account_lockouts.toml
Prep for Release 9.3 (#5548)
2026-01-12 21:07:07 +05:30
credential_access_entra_id_signin_brute_force_microsoft_365.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
credential_access_entra_id_suspicious_signin.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
credential_access_entra_id_totp_brute_force_attempts.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
credential_access_key_vault_excessive_retrieval.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
credential_access_key_vault_retrieval_from_rare_identity.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
credential_access_network_full_network_packet_capture_detected.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
credential_access_storage_account_key_regenerated.toml
[Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows (#5155)
2025-09-30 15:51:50 -04:00
defense_evasion_automation_runbook_deleted.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
defense_evasion_event_hub_deletion.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
defense_evasion_insights_diagnostic_settings_deletion.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
defense_evasion_kubernetes_events_deleted.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
defense_evasion_network_firewall_policy_deletion.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
defense_evasion_network_frontdoor_firewall_policy_deletion.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
defense_evasion_network_watcher_deletion.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
defense_evasion_security_alert_suppression_rule_created.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
defense_evasion_storage_blob_permissions_modified.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
discovery_bloodhound_user_agents_detected.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
discovery_entra_id_teamfiltration_user_agents_detected.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
discovery_storage_blob_container_access_modification.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
execution_automation_runbook_created_or_modified.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
execution_compute_vm_command_executed.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
exfiltration_azure_storage_blob_download_azcopy_sas_token.toml
[New Rule] Azure Storage Blob Retrieval via AzCopy (#5179)
2025-10-16 12:00:55 -04:00
impact_azure_compute_restore_point_collection_deleted.toml
[New Rule] Azure Compute Restore Point Collection Deleted (#5217)
2025-10-17 10:49:38 -04:00
impact_azure_compute_restore_point_collections_deleted.toml
[New Rule] Azure Compute Restore Point Collection Deleted (#5217)
2025-10-17 10:49:38 -04:00
impact_azure_compute_vm_snapshot_deletion.toml
[New Rule] Azure Compute Snapshot Deletion(s) (#5211)
2025-11-15 08:36:03 -05:00
impact_azure_compute_vm_snapshot_deletions.toml
[New Rule] Azure Compute Snapshot Deletion(s) (#5211)
2025-11-15 08:36:03 -05:00
impact_azure_storage_account_deletion_multiple.toml
[New Rule] Azure Storage Account Deletion (#5200)
2025-10-17 10:26:00 -04:00
impact_azure_storage_account_deletion.toml
[New Rule] Azure Storage Account Deletion (#5200)
2025-10-17 10:26:00 -04:00
impact_key_vault_modified_by_unusual_user.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
impact_kubernetes_pod_deleted.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
impact_resources_resource_group_deletion.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_azure_arc_cluster_credential_access_unusual_source.toml
[New Rule] Azure Arc Kubernetes Cluster Connect Abuse (#5824)
2026-03-17 11:06:47 -04:00
initial_access_azure_service_principal_signin_multiple_countries.toml
[New Rule] Azure Arc Kubernetes Cluster Connect Abuse (#5824)
2026-03-17 11:06:47 -04:00
initial_access_entra_id_actor_token_user_impersonation_abuse.toml
[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442)
2025-12-09 17:05:20 -08:00
initial_access_entra_id_device_code_auth_with_broker_client.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_external_guest_user_invite.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_federated_login_by_unusual_client.toml
[Rule Tuning] Entra ID Federated Identity Credential Persistence Detection (#5702)
2026-02-19 15:58:12 -05:00
initial_access_entra_id_first_time_seen_device_code_auth.toml
[Rule Tuning] Entra ID OAuth Device Code Grant by Unusual User (#5791)
2026-03-10 10:37:38 -04:00
initial_access_entra_id_graph_single_session_from_multiple_addresses.toml
[New Rule] ConsentFix Detections (#5485)
2026-01-12 08:45:50 -05:00
initial_access_entra_id_high_risk_signin.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_illicit_consent_grant_via_registered_application.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_oauth_auth_code_grant_unusual_app_resource_user.toml
[Rule Tuning] Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource (#5589)
2026-01-24 08:51:23 -05:00
initial_access_entra_id_oauth_phishing_via_first_party_microsoft_application.toml
[Rule Tuning] Entra ID OAuth Phishing via First-Party Microsoft Application (#5610)
2026-01-26 14:55:18 -05:00
initial_access_entra_id_oauth_user_impersonation_scope.toml
[Rule Tuning] Entra ID OAuth user_impersonation Scope for Unusual User and Client (#5462)
2025-12-18 19:55:02 -05:00
initial_access_entra_id_powershell_signin.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_protection_alerts_for_user.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_protection_confirmed_compromise.toml
[New Rule] Entra ID Protection Admin Confirmed Compromise (#5186)
2025-10-16 14:29:28 -04:00
initial_access_entra_id_protection_sign_in_risk_detected.toml
[Rule Tuning] Entra ID Protection Sign-in and User Risk Detection Rules - Filter Remediated Risk States (#5535)
2026-01-09 11:27:52 -05:00
initial_access_entra_id_protection_user_risk_detected.toml
[Rule Tuning] Entra ID Protection Sign-in and User Risk Detection Rules - Filter Remediated Risk States (#5535)
2026-01-09 11:27:52 -05:00
initial_access_entra_id_rare_app_id_for_principal_auth.toml
[Rule Tuning] Entra ID User Sign-in with Unusual Client (#5473)
2025-12-18 20:04:11 -05:00
initial_access_entra_id_rare_authentication_requirement_for_principal_user.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_risky_user_or_compromised_sign_in.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_unusual_ropc_login_attempt.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_entra_id_user_reported_risk.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
initial_access_graph_first_occurrence_of_client_request.toml
[New Rule] ConsentFix Detections (#5485)
2026-01-12 08:45:50 -05:00
ml_azure_event_failures.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
ml_azure_rare_event_failures.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
ml_azure_rare_method_by_city.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
ml_azure_rare_method_by_country.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
ml_azure_rare_method_by_user.toml
December Schema Refresh (#5420)
2025-12-08 22:07:46 +05:30
persistence_automation_account_created.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_automation_webhook_created.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_application_credential_modification.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_conditional_access_policy_modified.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_global_administrator_role_assigned.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_mfa_disabled_for_user.toml
[Rule Tuning] Beats & Endgame Indices (#5072)
2025-09-09 13:19:13 -05:00
persistence_entra_id_pim_user_added_global_admin.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_privileged_identity_management_role_modified.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_rt_to_prt_transition_from_user_device.toml
[Rule Tuning] Entra ID OAuth PRT Issuance to Non-Managed Device Detected (#5464)
2025-12-21 16:30:32 -05:00
persistence_entra_id_service_principal_created.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_service_principal_credentials_added.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_service_principal_federated_issuer_modified.toml
adjusted min-stack (#5763)
2026-02-23 17:31:36 -05:00
persistence_entra_id_suspicious_adrs_token_request.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_suspicious_cloud_device_registration.toml
[Rule Tuning] Entra ID Suspicious Cloud Device Registration (#5683)
2026-02-18 17:37:17 -05:00
persistence_entra_id_tenant_domain_federation_via_audit_logs.toml
[New Rule] Entra ID Domain Federation Abuse (#5809)
2026-03-10 10:16:50 -04:00
persistence_entra_id_user_added_as_owner_for_azure_application.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_user_added_as_owner_for_azure_service_principal.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_entra_id_user_signed_in_from_unusual_device.toml
[New Rule] ConsentFix Detections (#5485)
2026-01-12 08:45:50 -05:00
persistence_event_hub_created_or_updated.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_graph_eam_addition_or_modification.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
persistence_identity_protect_alert_followed_by_device_reg.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
privilege_escalation_azure_rbac_administrator_roles_assigned.toml
[New Rule] Azure RBAC Built-In Administrator Roles Assigned (#5113)
2025-10-06 09:38:56 -04:00
privilege_escalation_entra_id_elevate_to_user_administrator_access.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
privilege_escalation_kubernetes_aks_rolebinding_created.toml
[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172)
2025-12-10 12:59:50 -05:00
resource_development_entra_id_custom_domain_added_and_verified.toml
[New Rule] Entra ID Domain Federation Abuse (#5809)
2026-03-10 10:16:50 -04:00