forked from opensearch-project/security-analytics
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add latest sigma rules (opensearch-project#942)
Signed-off-by: Subhobrata Dey <[email protected]>
- Loading branch information
Showing
425 changed files
with
8,618 additions
and
3,959 deletions.
There are no files selected for viewing
24 changes: 24 additions & 0 deletions
24
src/main/resources/rules/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
title: CA Policy Removed by Non Approved Actor | ||
id: 26e7c5e2-6545-481e-b7e6-050143459635 | ||
status: test | ||
description: Monitor and alert on conditional access changes where non approved actor removed CA Policy. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access | ||
author: Corissa Koopmans, '@corissalea' | ||
date: 2022/07/19 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.persistence | ||
- attack.t1548 | ||
- attack.t1556 | ||
logsource: | ||
product: azure | ||
service: auditlogs | ||
detection: | ||
selection: | ||
properties.message: Delete conditional access policy | ||
condition: selection | ||
falsepositives: | ||
- Misconfigured role permissions | ||
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. | ||
level: medium |
24 changes: 24 additions & 0 deletions
24
src/main/resources/rules/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
title: CA Policy Updated by Non Approved Actor | ||
id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc | ||
status: test | ||
description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access | ||
author: Corissa Koopmans, '@corissalea' | ||
date: 2022/07/19 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.persistence | ||
- attack.t1548 | ||
- attack.t1556 | ||
logsource: | ||
product: azure | ||
service: auditlogs | ||
detection: | ||
keywords: | ||
- Update conditional access policy | ||
condition: keywords | ||
falsepositives: | ||
- Misconfigured role permissions | ||
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. | ||
level: medium |
22 changes: 22 additions & 0 deletions
22
src/main/resources/rules/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
title: New CA Policy by Non-approved Actor | ||
id: 0922467f-db53-4348-b7bf-dee8d0d348c6 | ||
status: test | ||
description: Monitor and alert on conditional access changes. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure | ||
author: Corissa Koopmans, '@corissalea' | ||
date: 2022/07/18 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1548 | ||
logsource: | ||
product: azure | ||
service: auditlogs | ||
detection: | ||
selection: | ||
properties.message: Add conditional access policy | ||
condition: selection | ||
falsepositives: | ||
- Misconfigured role permissions | ||
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. | ||
level: medium |
37 changes: 19 additions & 18 deletions
37
src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,28 @@ | ||
title: Azure Active Directory Hybrid Health AD FS New Server | ||
id: 288a39fc-4914-4831-9ada-270e9dc12cb4 | ||
status: test | ||
description: | | ||
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. | ||
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. | ||
This can be done programmatically via HTTP requests to Azure. | ||
status: experimental | ||
date: 2021/08/26 | ||
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. | ||
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. | ||
This can be done programmatically via HTTP requests to Azure. | ||
references: | ||
- https://o365blog.com/post/hybridhealthagent/ | ||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | ||
date: 2021/08/26 | ||
modified: 2023/10/11 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1578 | ||
references: | ||
- https://o365blog.com/post/hybridhealthagent/ | ||
- attack.defense_evasion | ||
- attack.t1578 | ||
logsource: | ||
product: azure | ||
service: azureactivity | ||
product: azure | ||
service: activitylogs | ||
detection: | ||
selection: | ||
CategoryValue: 'Administrative' | ||
ResourceProviderValue: 'Microsoft.ADHybridHealthService' | ||
ResourceId|contains: 'AdFederationService' | ||
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' | ||
condition: selection | ||
selection: | ||
CategoryValue: 'Administrative' | ||
ResourceProviderValue: 'Microsoft.ADHybridHealthService' | ||
ResourceId|contains: 'AdFederationService' | ||
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action' | ||
condition: selection | ||
falsepositives: | ||
- Legitimate AD FS servers added to an AAD Health AD FS service instance | ||
- Legitimate AD FS servers added to an AAD Health AD FS service instance | ||
level: medium |
37 changes: 19 additions & 18 deletions
37
src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,28 @@ | ||
title: Azure Active Directory Hybrid Health AD FS Service Delete | ||
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff | ||
status: test | ||
description: | | ||
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. | ||
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. | ||
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. | ||
status: experimental | ||
date: 2021/08/26 | ||
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. | ||
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. | ||
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. | ||
references: | ||
- https://o365blog.com/post/hybridhealthagent/ | ||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | ||
date: 2021/08/26 | ||
modified: 2023/10/11 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1578.003 | ||
references: | ||
- https://o365blog.com/post/hybridhealthagent/ | ||
- attack.defense_evasion | ||
- attack.t1578.003 | ||
logsource: | ||
product: azure | ||
service: azureactivity | ||
product: azure | ||
service: activitylogs | ||
detection: | ||
selection: | ||
CategoryValue: 'Administrative' | ||
ResourceProviderValue: 'Microsoft.ADHybridHealthService' | ||
ResourceId|contains: 'AdFederationService' | ||
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' | ||
condition: selection | ||
selection: | ||
CategoryValue: 'Administrative' | ||
ResourceProviderValue: 'Microsoft.ADHybridHealthService' | ||
ResourceId|contains: 'AdFederationService' | ||
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete' | ||
condition: selection | ||
falsepositives: | ||
- Legitimate AAD Health AD FS service instances being deleted in a tenant | ||
- Legitimate AAD Health AD FS service instances being deleted in a tenant | ||
level: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,22 @@ | ||
title: Account Lockout | ||
id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a | ||
status: experimental | ||
author: AlertIQ | ||
date: 2021/10/10 | ||
status: test | ||
description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts | ||
author: AlertIQ | ||
date: 2021/10/10 | ||
modified: 2022/12/25 | ||
tags: | ||
- attack.credential_access | ||
- attack.t1110 | ||
logsource: | ||
product: azure | ||
service: signinlogs | ||
product: azure | ||
service: signinlogs | ||
detection: | ||
selection: | ||
ResultType: 50053 | ||
condition: selection | ||
level: medium | ||
selection: | ||
ResultType: 50053 | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
tags: | ||
- attack.credential_access | ||
- attack.t1110 | ||
- Unknown | ||
level: medium |
25 changes: 25 additions & 0 deletions
25
src/main/resources/rules/azure/azure_ad_account_created_deleted.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
title: Account Created And Deleted Within A Close Time Frame | ||
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf | ||
status: test | ||
description: Detects when an account was created and deleted in a short period of time. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts | ||
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton | ||
date: 2022/08/11 | ||
modified: 2022/08/18 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1078 | ||
logsource: | ||
product: azure | ||
service: auditlogs | ||
detection: | ||
selection: | ||
properties.message: | ||
- Add user | ||
- Delete user | ||
Status: Success | ||
condition: selection | ||
falsepositives: | ||
- Legit administrative action | ||
level: high |
22 changes: 22 additions & 0 deletions
22
src/main/resources/rules/azure/azure_ad_auth_failure_increase.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
title: Increased Failed Authentications Of Any Type | ||
id: e1d02b53-c03c-4948-b11d-4d00cca49d03 | ||
status: test | ||
description: Detects when sign-ins increased by 10% or greater. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins | ||
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' | ||
date: 2022/08/11 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1078 | ||
logsource: | ||
product: azure | ||
service: signinlogs | ||
detection: | ||
selection: | ||
Status: failure | ||
Count: "<10%" | ||
condition: selection | ||
falsepositives: | ||
- Unlikely | ||
level: medium |
23 changes: 23 additions & 0 deletions
23
src/main/resources/rules/azure/azure_ad_auth_sucess_increase.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
title: Measurable Increase Of Successful Authentications | ||
id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae | ||
status: test | ||
description: Detects when successful sign-ins increased by 10% or greater. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins | ||
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton | ||
date: 2022/08/11 | ||
modified: 2022/08/18 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1078 | ||
logsource: | ||
product: azure | ||
service: signinlogs | ||
detection: | ||
selection: | ||
Status: Success | ||
Count: "<10%" | ||
condition: selection | ||
falsepositives: | ||
- Increase of users in the environment | ||
level: low |
23 changes: 23 additions & 0 deletions
23
src/main/resources/rules/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
title: Authentications To Important Apps Using Single Factor Authentication | ||
id: f272fb46-25f2-422c-b667-45837994980f | ||
status: test | ||
description: Detect when authentications to important application(s) only required single-factor authentication | ||
references: | ||
- https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts | ||
author: MikeDuddington, '@dudders1' | ||
date: 2022/07/28 | ||
tags: | ||
- attack.initial_access | ||
- attack.t1078 | ||
logsource: | ||
product: azure | ||
service: signinlogs | ||
detection: | ||
selection: | ||
Status: 'Success' | ||
AppId: 'Insert Application ID use OR for multiple' | ||
AuthenticationRequirement: 'singleFactorAuthentication' | ||
condition: selection | ||
falsepositives: | ||
- If this was approved by System Administrator. | ||
level: medium |
25 changes: 25 additions & 0 deletions
25
...sources/rules/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
title: Successful Authentications From Countries You Do Not Operate Out Of | ||
id: 8c944ecb-6970-4541-8496-be554b8e2846 | ||
status: test | ||
description: Detect successful authentications from countries you do not operate out of. | ||
references: | ||
- https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts | ||
author: MikeDuddington, '@dudders1' | ||
date: 2022/07/28 | ||
tags: | ||
- attack.initial_access | ||
- attack.credential_access | ||
- attack.t1078.004 | ||
- attack.t1110 | ||
logsource: | ||
product: azure | ||
service: signinlogs | ||
detection: | ||
selection: | ||
Status: 'Success' | ||
filter: | ||
Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>' | ||
condition: selection and not filter | ||
falsepositives: | ||
- If this was approved by System Administrator. | ||
level: medium |
23 changes: 23 additions & 0 deletions
23
src/main/resources/rules/azure/azure_ad_azurehound_discovery.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
title: Discovery Using AzureHound | ||
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b | ||
status: test | ||
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. | ||
references: | ||
- https://github.com/BloodHoundAD/AzureHound | ||
author: Janantha Marasinghe | ||
date: 2022/11/27 | ||
tags: | ||
- attack.discovery | ||
- attack.t1087.004 | ||
- attack.t1526 | ||
logsource: | ||
product: azure | ||
service: signinlogs | ||
detection: | ||
selection: | ||
userAgent|contains: 'azurehound' | ||
ResultType: 0 | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
level: high |
22 changes: 22 additions & 0 deletions
22
src/main/resources/rules/azure/azure_ad_bitlocker_key_retrieval.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
title: Bitlocker Key Retrieval | ||
id: a0413867-daf3-43dd-9245-734b3a787942 | ||
status: test | ||
description: Monitor and alert for Bitlocker key retrieval. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval | ||
author: Michael Epping, '@mepples21' | ||
date: 2022/06/28 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1078.004 | ||
logsource: | ||
product: azure | ||
service: auditlogs | ||
detection: | ||
selection: | ||
Category: KeyManagement | ||
OperationName: Read BitLocker key | ||
condition: selection | ||
falsepositives: | ||
- Unknown | ||
level: medium |
24 changes: 24 additions & 0 deletions
24
src/main/resources/rules/azure/azure_ad_device_registration_or_join_without_mfa.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
title: Device Registration or Join Without MFA | ||
id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 | ||
status: test | ||
description: Monitor and alert for device registration or join events where MFA was not performed. | ||
references: | ||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy | ||
author: Michael Epping, '@mepples21' | ||
date: 2022/06/28 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1078.004 | ||
logsource: | ||
product: azure | ||
service: signinlogs | ||
detection: | ||
selection: | ||
ResourceDisplayName: 'Device Registration Service' | ||
conditionalAccessStatus: 'success' | ||
filter_mfa: | ||
AuthenticationRequirement: 'multiFactorAuthentication' | ||
condition: selection and not filter_mfa | ||
falsepositives: | ||
- Unknown | ||
level: medium |
Oops, something went wrong.