valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1881 from austinsonger/@austinsonger

Browse Source 
Update author.
This commit is contained in:
frack113 2021-08-20 06:31:44 +02:00 committed by GitHub
commit ec97e12e35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
31 changed files with 34 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: AWS EKS Cluster Created or Deleted
id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
description: Identifies when an EKS cluster is created or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:

2
rules/cloud/aws/aws_elasticache_security_group_created.yml
View File

@ -1,7 +1,7 @@
title: AWS ElastiCache Security Group Created
id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
description: Detects when an ElastiCache security group has been created.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19

2
rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: AWS ElastiCache Security Group Modified or Deleted
id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
description: Identifies when an ElastiCache security group has been modified or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19

2
rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml
View File

@ -1,7 +1,7 @@
title: AWS Route 53 Domain Transfer Lock Disabled
id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
author: Elastic, Austin Songer
author: Elastic, Austin Songer @austinsonger
status: experimental
date: 2021/07/22
references:

2
rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml
View File

@ -1,7 +1,7 @@
title: AWS Route 53 Domain Transferred to Another Account
id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
author: Elastic, Austin Songer
author: Elastic, Austin Songer @austinsonger
status: experimental
date: 2021/07/22
references:

2
rules/cloud/aws/aws_s3_data_management_tampering.yml
View File

@ -1,7 +1,7 @@
title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
description: Detects when a user tampers with S3 data management in Amazon Web Services.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19

2
rules/cloud/aws/aws_sts_assumedrole_misuse.yml
View File

@ -1,7 +1,7 @@
title: AWS STS AssumedRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
description: Identifies the suspicious use of AssumedRole. Attackers could move laterally and escalate privileges.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:

2
rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml
View File

@ -1,7 +1,7 @@
title: AWS STS GetSessionToken Misuse
id: b45ab1d2-712f-4f01-a751-df3826969807
description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:

2
rules/cloud/azure/azure_container_registry_created_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
description: Detects when a Container Registry is created or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:

2
rules/cloud/azure/azure_firewall_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Firewall Modified or Deleted
id: 512cf937-ea9b-4332-939c-4c2c94baadcd
description: Identifies when a firewall is created, modified, or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:

2
rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Firewall Rule Collection Modified or Deleted
id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:

2
rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
description: Identifies when a Keyvault Key is modified or deleted in Azure.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:

2
rules/cloud/azure/azure_keyvault_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Key Vault Modified or Deleted.
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
description: Identifies when a key vault is modified or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:

2
rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
description: Identifies when secrets are modified or deleted in Azure.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:

2
rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
description: Detects when a Azure Kubernetes Cluster is created or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:

2
rules/cloud/azure/azure_kubernetes_events_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:

7
rules/cloud/azure/azure_kubernetes_pods_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
description: Identifies the deletion of Azure Kubernetes Pods.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:
@ -12,9 +12,10 @@ logsource:
detection:
selection_operation_name:
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection_operation_name
condition: selection_operation_name
level: medium
tags:
- attack.impact
falsepositives:
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

2
rules/cloud/azure/azure_kubernetes_role_access.yml
View File

@ -1,7 +1,7 @@
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
description: Identifies when ClusterRoles/Roles are being modified or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:

2
rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:

2
rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
description: Identifies when a service account is modified or deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:

2
rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Firewall Rule Configuration Modified or Deleted
id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067
description: Identifies when a Firewall Rule Configuration is Modified or Deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:

2
rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Point-to-site VPN Modified or Deleted
id: d9557b75-267b-4b43-922f-a775e2d1f792
description: Identifies when a Point-to-site VPN is Modified or Deleted.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:

2
rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Azure Virtual Network Device Modified or Deleted
id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:

2
rules/cloud/gcp/gcp_bucket_enumeration.yml
View File

@ -1,7 +1,7 @@
title: Google Cloud Storage Buckets Enumeration
id: e2feb918-4e77-4608-9697-990a1aaf74c3
description: Detects when storage bucket is enumerated in Google Cloud.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/14
references:

2
rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Google Cloud Storage Buckets Modified or Deleted
id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
description: Detects when storage bucket is modified or deleted in Google Cloud.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/14
references:

2
rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Google Cloud Firewall Modified or Deleted
id: fe513c69-734c-4d4a-8548-ac5f609be82b
description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/13
references:

2
rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml
View File

@ -1,7 +1,7 @@
title: Google Full Network Traffic Packet Capture
id: 980a7598-1e7f-4962-9372-2d754c930d0e
description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/13
references:

2
rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
description: Identifies when a service account is disabled or deleted in Google Cloud.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/14
references:

2
rules/cloud/gcp/gcp_service_account_modified.yml
View File

@ -1,7 +1,7 @@
title: Google Cloud Service Account Modified
id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
description: Identifies when a service account is modified in Google Cloud.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/14
references:

2
rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml
View File

@ -1,7 +1,7 @@
title: Google Cloud VPN Tunnel Modified or Deleted
id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
author: Austin Songer
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:

2
rules/cloud/m365/microsoft365_impossible_travel_activity.yml
View File

@ -2,7 +2,7 @@ title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: experimental
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
author: austinsonger
author: Austin Songer @austinsonger
date: 2020/07/06
modified: 2020/07/06
references: