SigmaHQ

mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00

Author	SHA1	Message	Date
Austin Songer	8382bbfe09	Create gworkspace_user_assigned_admin_role.yml	2021-08-23 19:37:46 -05:00
Austin Songer	edcb956f2a	Merge branch 'SigmaHQ:master' into gworkspace_user_assigned_admin_role.yml	2021-08-23 19:37:06 -05:00
Austin Songer	c0e58d3c27	Update	2021-08-23 23:00:58 +00:00
Austin Songer	29e1ce7e8f	Update	2021-08-23 22:50:39 +00:00
Austin Songer	ad892eb239	Update	2021-08-23 22:46:37 +00:00
Austin Songer	84944cf849	Update	2021-08-23 22:30:11 +00:00
Austin Songer	53482b7e9c	Update	2021-08-23 22:19:41 +00:00
Austin Songer	754158bfd2	Update	2021-08-23 22:18:12 +00:00
Austin Songer	da69b2f531	Update	2021-08-23 22:09:27 +00:00
Austin Songer	595bd3b80f	Updated	2021-08-23 22:07:09 +00:00
Austin Songer	1fa32fcd1a	Update	2021-08-23 22:02:47 +00:00
$frack113$ frack113	c6d55a3e13	Merge pull request #1909 from neu5ron/patch-8 condition fix and add fields	2021-08-23 21:31:06 +02:00
Austin Songer	4ab9519546	Update	2021-08-23 18:59:07 +00:00
Nate Guagenti	b255586117	condition fix and add fields should be `operation` not `endpoint` for the detection logic. added various fields useful for investigation	2021-08-23 14:59:06 -04:00
$frack113$ frack113	d89cebab55	Merge pull request #1907 from neu5ron/patch-6 correct fields for zeek_rdp_public_listener.yml	2021-08-23 20:58:01 +02:00
Austin Songer	8e4b8f45dd	Update	2021-08-23 18:57:17 +00:00
Austin Songer	a5c551ad61	Merge branch '365' of https://github.com/austinsonger/sigma into 365	2021-08-23 18:55:40 +00:00
Austin Songer	41786a1b63	In-Progress	2021-08-23 18:55:29 +00:00
Nate Guagenti	064d7b7b9f	improve rule logic zeek_default_cobalt_strike_certificate.yml zeek logging for `certificate.serial` is all letters are capitalized	2021-08-23 14:23:41 -04:00
Nate Guagenti	cfc32e5950	correct fields for zeek_rdp_public_listener.yml correct zeek fields for `fields` section. improve false positives information	2021-08-23 14:16:55 -04:00
Nate Guagenti	1819e4b02b	improve rule - improve rule logic - match zeek fields for fields section - add false positive information - change rule name to match the logic of the original rule.. Rule said "first" seen, however, no logic that matches that (ie: rare, stacking, etc..)	2021-08-23 14:12:50 -04:00
Nate Guagenti	feb7d0e187	Update zeek_dns_mining_pools.yml	2021-08-23 14:11:04 -04:00
Nate Guagenti	b00e1772b3	added logic and usage rule logic should be endswith. match zeek fields for `fields` section add false positive information	2021-08-23 14:03:38 -04:00
Austin Songer	3d151ef9f1	Update microsoft365_logon_from_risky_ip_address.yml	2021-08-23 12:59:53 -05:00
Austin Songer	23e96712f8	Update microsoft365_data_exfiltration_to_unsanctioned_app.yml	2021-08-23 12:59:44 -05:00
$frack113$ frack113	a04fbe2a99	Merge pull request #1901 from frack113/redcanary Redcanary Powershell Suspicious Win32_PnPEntity T1120	2021-08-23 19:44:16 +02:00
$frack113$ frack113	07c808d35c	Merge pull request #1902 from neu5ron/patch-2 Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml	2021-08-23 19:43:58 +02:00
Austin Songer	1834324a16	Update	2021-08-23 17:33:57 +00:00
Austin Songer	7d211f2487	Data exfiltration to unsanctioned apps	2021-08-23 17:33:00 +00:00
Austin Songer	f5286905ff	Merge branch 'SigmaHQ:master' into microsoft365	2021-08-23 12:22:58 -05:00
Austin Songer	b52f4ba1c3	Merge branch 'master' of https://github.com/austinsonger/sigma	2021-08-23 17:22:08 +00:00
Austin Songer	3a4c61f44d	M365 - Inbox Manipulation Rules	2021-08-23 17:21:27 +00:00
Austin Songer	ae84559488	M365 - Risky IP Addresses	2021-08-23 17:18:16 +00:00
$frack113$ frack113	9d3a13b13e	cleanup	2021-08-23 19:04:01 +02:00
Florian Roth	998ebbe1f3	fix: typo in name	2021-08-23 18:46:05 +02:00
Florian Roth	6b86dacc9e	rule: razor installer	2021-08-23 18:44:15 +02:00
$frack113$ frack113	be316db84d	Merge pull request #1899 from secDre4mer/master feat: Add rule for malicious CSR export on Exchange	2021-08-23 17:26:16 +02:00
Nate Guagenti	4f8bd4a5a2	Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml try new uuid to pass check...	2021-08-23 11:24:22 -04:00
Nate Guagenti	6aea58b4d2	Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml	2021-08-23 11:18:51 -04:00
$frack113$ frack113	cac40065b0	Merge pull request #1900 from ZikyHD/add_fields Add fields to event log cleared	2021-08-23 17:15:32 +02:00
Nate Guagenti	78c667fda1	Update zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml shorten title	2021-08-23 11:15:30 -04:00
Nate Guagenti	96e77eb8db	Create zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml	2021-08-23 11:06:44 -04:00
SomeOne	037f33b5e2	Replace by default windows fieldnames	2021-08-23 15:24:48 +02:00
Florian Roth	91b42f9077	fix: indentation	2021-08-23 15:03:59 +02:00
SomeOne	45f30cb2b4	Add fields to event log cleared	2021-08-23 15:00:07 +02:00
$frack113$ frack113	25072e37b3	update references	2021-08-23 13:30:46 +02:00
$frack113$ frack113	33c6ff6b5f	add powershell_suspicious_win32_pnpentity	2021-08-23 13:17:35 +02:00
Max Altgelt	82dde594d1	feat: Add rule for malicious CSR export on Exchange	2021-08-23 11:20:30 +02:00
$frack113$ frack113	52595de85e	Merge pull request #1889 from rachelrice/update_aws_rules Update AWS CloudTrail rules	2021-08-23 11:14:31 +02:00
Florian Roth	a0f72e5f6f	rule: suspicious splwow64 process starts	2021-08-23 10:41:42 +02:00

1 2 3 4 5 ...

7512 Commits