sigma-rules/rules/azure at baefaeeaffa23e942e4c1a3fa8c3f8d2f4f981ca - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

David French cedb2e1289 [New Rule] Azure Conditional Access Policy Modified (#237 )

* new-rule-azure-conditional-access-policy-modified

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

Update maturity to production

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to include result value

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to search both the Azure audit logs and activity logs

* Optimize formatting of query

* Tweak consent grant attack rule

Amending the query in rule, "Possible Consent Grant Attack via Azure-Registered Application" to search both the Azure activity and audit logs

* Tweak formatting of query to improve Brent's happiness level

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

2020-09-22 09:28:32 -06:00

..

azure_diagnostic_settings_deletion.toml

[New Rule] Azure Diagnostic Settings Deletion (#157 )

2020-09-04 09:20:13 -04:00

collection_update_event_hub_auth_rule.toml

[New Rule] Azure Event Hub Authorization Rule Created or Updated (#173 )

2020-09-04 09:32:30 -04:00

credential_access_key_vault_modified.toml

[New Rule] Azure Key Vault Modified (#230 )

2020-09-04 11:30:01 -04:00

credential_access_storage_account_key_regenerated.toml

[New Rule] Azure Storage Account Key Regenerated (#188 )

2020-09-04 14:08:48 -04:00

defense_evasion_azure_conditional_access_policy_modified.toml

[New Rule] Azure Conditional Access Policy Modified (#237 )

2020-09-22 09:28:32 -06:00

defense_evasion_azure_privileged_identity_management_role_modified.toml

[New Rule] Azure Privileged Identity Management Role Modified (#238 )

2020-09-03 15:02:14 -06:00

defense_evasion_event_hub_deletion.toml

[New Rule] Azure Event Hub Deletion (#170 )

2020-09-04 10:23:43 -04:00

defense_evasion_firewall_policy_deletion.toml

[New Rule] Azure Firewall Policy Deletion (#169 )

2020-09-04 09:28:58 -04:00

defense_evasion_mfa_disabled_for_azure_user.toml

[New Rule] Multi-Factor Authentication Disabled for an Azure User (#195 )

2020-09-03 12:42:27 -06:00

defense_evasion_network_watcher_deletion.toml

[New Rule] Azure Network Watcher Deletion (#232 )

2020-09-04 12:18:18 -04:00

discovery_blob_container_access_mod.toml

[New Rule] Azure Blob Container Access Level Modification (#192 )

2020-09-04 10:48:21 -04:00

execution_command_virtual_machine.toml

[New Rule] Azure Command Execution on Virtual Machine (#155 )

2020-09-03 17:09:40 -04:00

impact_azure_automation_runbook_deleted.toml

[New Rule] Azure Automation Runbook Deleted (#235 )

2020-09-03 13:09:40 -06:00

impact_resource_group_deletion.toml

[New Rule] Azure Resource Group Deletion (#158 )

2020-09-03 17:06:43 -04:00

initial_access_consent_grant_attack_via_azure_registered_application.toml

[New Rule] Azure Conditional Access Policy Modified (#237 )

2020-09-22 09:28:32 -06:00

initial_access_external_guest_user_invite.toml

[New Rule] Azure External Guest User Invitation (#231 )

2020-09-04 12:11:13 -04:00

persistence_azure_automation_account_created.toml

[New Rule] Azure Automation Account Created (#177 )

2020-09-03 11:08:38 -06:00

persistence_azure_automation_runbook_created_or_modified.toml

[New Rule] Azure Automation Runbook Created or Modified (#178 )

2020-09-03 11:16:42 -06:00

persistence_azure_automation_webhook_created.toml

[New Rule] Azure Automation Webhook Created (#179 )

2020-09-03 11:20:50 -06:00

persistence_user_added_as_owner_for_azure_application.toml

[New Rule] User Added as Owner for Azure Application (#191 )

2020-09-03 12:15:33 -06:00

persistence_user_added_as_owner_for_azure_service_principal.toml

rule-tuning-user-added-as-owner-for-azure-service-principal (#258 )

2020-09-04 08:36:20 -06:00