security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c151d69d3664a279e42567ae6a0ae87f541627e1
sigma-rules/rules/integrations
T
History
Isai c151d69d36 [Rule Tuning] AWS STS AssumeRole with New MFA Device (#4999) 
* [Rule Tuning] AWS STS AssumeRole with New MFA Device

This rule is triggering as expected and low volume of alerts in telemetry. This tuning:
- slight edits to IG
- removed user.id wildcard usage in query as this field always exists for these events
- added the from and interval fields for consistency across rules (they are currently using the same values by default so no real change here)

* adding investigation fields

adding investigation fields
2025-08-22 14:48:39 -04:00
..
aws
[Rule Tuning] AWS STS AssumeRole with New MFA Device (#4999)
2025-08-22 14:48:39 -04:00
aws_bedrock
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
azure
[Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access (#4954)
2025-08-13 17:41:58 -04:00
azure_openai
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
beaconing
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
cyberarkpas
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
ded
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
dga
[Rule Tuning] Reduce Severity from Critical to High (#4637)
2025-05-06 21:37:47 +05:30
endpoint
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
fim
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
gcp
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
github
Prep for Release 9.0 (#4550)
2025-03-20 20:32:07 +05:30
google_workspace
Fix spacing in Setup information (#4470)
2025-02-20 10:04:13 +05:30
kubernetes
Investigation guides Update (#4920)
2025-07-22 07:52:48 +05:30
lmd
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
o365
[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912)
2025-08-05 19:35:41 -04:00
okta
[Tuning] SDH - Investigating MFA Deactivation with no Re-Activation for Okta User Account (#4986)
2025-08-15 18:02:15 -04:00
pad
Prep 8.19/9.1 (#4869)
2025-07-07 11:27:48 -04:00
problemchild
Prep main for 9.1 (#4555)
2025-03-26 11:04:14 -04:00