sigma-rules

Files

T

Terrance DeJesus cabf1c2a02 [Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172 )

* Tuning azure and m365 rule names and file paths

* addressing unit test failures

* addressing unit test failures

* Changed Frontdoor to Front Door

* removed extra space in name

* adjusted Microsoft 365 to M365 in rule name

* Update rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

* Update rules/integrations/azure/defense_evasion_automation_runbook_deleted.toml

* Update rules/integrations/azure/execution_automation_runbook_created_or_modified.toml

* Update rules/integrations/azure/persistence_automation_account_created.toml

* Update rules/integrations/azure/impact_key_vault_modified_by_unusual_user.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_sign_in_risk_detected.toml

* Update rules/integrations/azure/initial_access_entra_id_protection_user_risk_detected.toml

* Update rules/integrations/azure/persistence_automation_webhook_created.toml

* Update rules/integrations/azure/persistence_entra_id_global_administrator_role_assigned.toml

* Update rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml

* Update rules/integrations/azure/persistence_event_hub_created_or_updated.toml

* Update rules/integrations/o365/collection_onedrive_excessive_file_downloads.toml

* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_entra_id_signin_brute_force_microsoft_365.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/o365/credential_access_entra_id_potential_user_account_brute_force.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* fixed additional rule names

* Update rule dates and investigation guide headers

- Set updated_date to 2025/12/10 for all modified rules
- Fix investigation guide headers to match actual rule names
- Ensures compliance with test_rule_change_has_updated_date
- Ensures compliance with test_investigation_guide_uses_rule_name

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* changed kibana alert rule name to rule ID

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>

2025-12-10 12:59:50 -05:00

aws

[Rule Tuning] Add Missing Metadata to KEEP conditions (#5442 )

2025-12-09 17:05:20 -08:00

aws_bedrock

[Tuning] Add mv_expand for gen_ai.policy.action field (#5296 )

2025-11-11 07:37:40 +05:30

azure

[Rule Tuning] Update Azure / M365 Rule Names and File Paths (#5172 )

2025-12-10 12:59:50 -05:00

azure_openai

[Rule Tuning] Updated ESQL Rules Based on Validation Results (#5151 )