sigma-rules

Files

T

Isai b7de4f5126 [Tuning] SDH - Investigating MFA Deactivation with no Re-Activation for Okta User Account (#4986 )

* [Tuning] SDH - Investigating MFA Deactivation with no Re-Activation for Okta User Account

This tuning addresses SDH ticket by:
- replacing sequence by `okta.actor.id` with `okta.target.id` in query. This will ensure the deactivation and activation attempts are measured against the target entity. To account for instances where separate users (okta.actor.id) perform deactivation and activation actions against the same target account (okta.target.id)
- Adjusts the investigation guide to use correct target vs. actor fields

* add actor and target id fields to investigation guide

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

2025-08-15 18:02:15 -04:00

aws

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912 )

2025-08-05 19:35:41 -04:00

aws_bedrock

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912 )

2025-08-05 19:35:41 -04:00

azure

[Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access (#4954 )

2025-08-13 17:41:58 -04:00

azure_openai

[Rule Tuning] ESQL Query Field Dynamic Field Standardization (#4912 )