security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a5d9d6400a78d20ab3f2fce315b09a2e15eca879
sigma-rules/rules/integrations/azure
T
History
Terrance DeJesus c6e37d6910 [Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 (#4557) 
* tuning Azure rule for illicit grant activity; creating new rule for M365

* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml

* adjusted tags

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
2025-03-27 15:55:04 -04:00
..
collection_update_event_hub_auth_rule.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_azure_entra_totp_brute_force_attempts.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
credential_access_azure_full_network_packet_capture_detected.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_entra_id_device_code_auth_with_broker_client.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_entra_password_spraying_non_interactive_sfa.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
credential_access_entra_signin_brute_force_microsoft_365.toml
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
credential_access_first_time_seen_device_code_auth.toml
fixing double header in investigation notes (#4490)
2025-03-25 09:08:13 -04:00
credential_access_key_vault_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_storage_account_key_regenerated.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_application_credential_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_automation_runbook_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_blob_permissions_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_diagnostic_settings_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_azure_service_principal_addition.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_event_hub_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_firewall_policy_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_frontdoor_firewall_policy_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_kubernetes_events_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_network_watcher_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
defense_evasion_suppression_rule_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
discovery_blob_container_access_mod.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
execution_command_virtual_machine.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_azure_service_principal_credentials_added.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_kubernetes_pod_deleted.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_resource_group_deletion.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
impact_virtual_network_device_modified.toml
deprecating 'Azure Virtual Network Device Modified or Deleted' (#4559)
2025-03-27 10:09:34 -04:00
initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_azure_active_directory_high_risk_signin.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_azure_active_directory_powershell_signin.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_entra_illicit_consent_grant_via_registered_application.toml
[Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 (#4557)
2025-03-27 15:55:04 -04:00
initial_access_entra_rare_app_id_for_principal_auth.toml
[New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication (#4524)
2025-03-11 11:05:56 -04:00
initial_access_entra_rare_authentication_requirement_for_principal_user.toml
[New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User (#4525)
2025-03-11 10:51:01 -04:00
initial_access_external_guest_user_invite.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_automation_account_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_automation_runbook_created_or_modified.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_automation_webhook_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_global_administrator_role_assigned.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_pim_user_added_global_admin.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_azure_privileged_identity_management_role_modified.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_entra_conditional_access_policy_modified.toml
tuning 'Azure Conditional Access Policy Modified' (#4558)
2025-03-27 15:43:46 -04:00
persistence_mfa_disabled_for_azure_user.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_user_added_as_owner_for_azure_application.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_user_added_as_owner_for_azure_service_principal.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
privilege_escalation_azure_kubernetes_rolebinding_created.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00