Skip to content

Commit

Permalink
add latest sigma rules (opensearch-project#942)
Browse files Browse the repository at this point in the history 
Signed-off-by: Subhobrata Dey <[email protected]>
  • Loading branch information
@sbcd90
sbcd90 authored Mar 19, 2024
1 parent 9b59f61 commit edfff4b
Show file tree
Hide file tree
Showing 425 changed files with 8,618 additions and 3,959 deletions.
24 changes: 24 additions & 0 deletions src/main/resources/rules/azure/azure_aad_secops_ca_policy_removedby_bad_actor.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
title: CA Policy Removed by Non Approved Actor
id: 26e7c5e2-6545-481e-b7e6-050143459635
status: test
description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022/07/19
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Delete conditional access policy
condition: selection
falsepositives:
- Misconfigured role permissions
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
24 changes: 24 additions & 0 deletions src/main/resources/rules/azure/azure_aad_secops_ca_policy_updatedby_bad_actor.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
title: CA Policy Updated by Non Approved Actor
id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
status: test
description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
author: Corissa Koopmans, '@corissalea'
date: 2022/07/19
tags:
- attack.defense_evasion
- attack.persistence
- attack.t1548
- attack.t1556
logsource:
product: azure
service: auditlogs
detection:
keywords:
- Update conditional access policy
condition: keywords
falsepositives:
- Misconfigured role permissions
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
22 changes: 22 additions & 0 deletions src/main/resources/rules/azure/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
title: New CA Policy by Non-approved Actor
id: 0922467f-db53-4348-b7bf-dee8d0d348c6
status: test
description: Monitor and alert on conditional access changes.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure
author: Corissa Koopmans, '@corissalea'
date: 2022/07/18
tags:
- attack.defense_evasion
- attack.t1548
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Add conditional access policy
condition: selection
falsepositives:
- Misconfigured role permissions
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
level: medium
37 changes: 19 additions & 18 deletions src/main/resources/rules/azure/azure_aadhybridhealth_adfs_new_server.yml
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,28 @@
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
status: experimental
date: 2021/08/26
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
modified: 2023/10/11
tags:
- attack.defense_evasion
- attack.t1578
references:
- https://o365blog.com/post/hybridhealthagent/
- attack.defense_evasion
- attack.t1578
logsource:
product: azure
service: azureactivity
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
falsepositives:
- Legitimate AD FS servers added to an AAD Health AD FS service instance
- Legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium
37 changes: 19 additions & 18 deletions src/main/resources/rules/azure/azure_aadhybridhealth_adfs_service_delete.yml
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,28 @@
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
status: experimental
date: 2021/08/26
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021/08/26
modified: 2023/10/11
tags:
- attack.defense_evasion
- attack.t1578.003
references:
- https://o365blog.com/post/hybridhealthagent/
- attack.defense_evasion
- attack.t1578.003
logsource:
product: azure
service: azureactivity
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
condition: selection
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
condition: selection
falsepositives:
- Legitimate AAD Health AD FS service instances being deleted in a tenant
- Legitimate AAD Health AD FS service instances being deleted in a tenant
level: medium
29 changes: 15 additions & 14 deletions src/main/resources/rules/azure/azure_account_lockout.yml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,22 @@
title: Account Lockout
id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
status: experimental
author: AlertIQ
date: 2021/10/10
status: test
description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
author: AlertIQ
date: 2021/10/10
modified: 2022/12/25
tags:
- attack.credential_access
- attack.t1110
logsource:
product: azure
service: signinlogs
product: azure
service: signinlogs
detection:
selection:
ResultType: 50053
condition: selection
level: medium
selection:
ResultType: 50053
condition: selection
falsepositives:
- Unknown
tags:
- attack.credential_access
- attack.t1110
- Unknown
level: medium
25 changes: 25 additions & 0 deletions src/main/resources/rules/azure/azure_ad_account_created_deleted.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022/08/11
modified: 2022/08/18
tags:
- attack.defense_evasion
- attack.t1078
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message:
- Add user
- Delete user
Status: Success
condition: selection
falsepositives:
- Legit administrative action
level: high
22 changes: 22 additions & 0 deletions src/main/resources/rules/azure/azure_ad_auth_failure_increase.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
title: Increased Failed Authentications Of Any Type
id: e1d02b53-c03c-4948-b11d-4d00cca49d03
status: test
description: Detects when sign-ins increased by 10% or greater.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022/08/11
tags:
- attack.defense_evasion
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: failure
Count: "<10%"
condition: selection
falsepositives:
- Unlikely
level: medium
23 changes: 23 additions & 0 deletions src/main/resources/rules/azure/azure_ad_auth_sucess_increase.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
title: Measurable Increase Of Successful Authentications
id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae
status: test
description: Detects when successful sign-ins increased by 10% or greater.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
date: 2022/08/11
modified: 2022/08/18
tags:
- attack.defense_evasion
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: Success
Count: "<10%"
condition: selection
falsepositives:
- Increase of users in the environment
level: low
23 changes: 23 additions & 0 deletions src/main/resources/rules/azure/azure_ad_auth_to_important_apps_using_single_factor_auth.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
title: Authentications To Important Apps Using Single Factor Authentication
id: f272fb46-25f2-422c-b667-45837994980f
status: test
description: Detect when authentications to important application(s) only required single-factor authentication
references:
- https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022/07/28
tags:
- attack.initial_access
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
AppId: 'Insert Application ID use OR for multiple'
AuthenticationRequirement: 'singleFactorAuthentication'
condition: selection
falsepositives:
- If this was approved by System Administrator.
level: medium
25 changes: 25 additions & 0 deletions ...sources/rules/azure/azure_ad_authentications_from_countries_you_do_not_operate_out_of.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
title: Successful Authentications From Countries You Do Not Operate Out Of
id: 8c944ecb-6970-4541-8496-be554b8e2846
status: test
description: Detect successful authentications from countries you do not operate out of.
references:
- https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts
author: MikeDuddington, '@dudders1'
date: 2022/07/28
tags:
- attack.initial_access
- attack.credential_access
- attack.t1078.004
- attack.t1110
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: 'Success'
filter:
Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
condition: selection and not filter
falsepositives:
- If this was approved by System Administrator.
level: medium
23 changes: 23 additions & 0 deletions src/main/resources/rules/azure/azure_ad_azurehound_discovery.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
title: Discovery Using AzureHound
id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b
status: test
description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
references:
- https://github.com/BloodHoundAD/AzureHound
author: Janantha Marasinghe
date: 2022/11/27
tags:
- attack.discovery
- attack.t1087.004
- attack.t1526
logsource:
product: azure
service: signinlogs
detection:
selection:
userAgent|contains: 'azurehound'
ResultType: 0
condition: selection
falsepositives:
- Unknown
level: high
22 changes: 22 additions & 0 deletions src/main/resources/rules/azure/azure_ad_bitlocker_key_retrieval.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
title: Bitlocker Key Retrieval
id: a0413867-daf3-43dd-9245-734b3a787942
status: test
description: Monitor and alert for Bitlocker key retrieval.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval
author: Michael Epping, '@mepples21'
date: 2022/06/28
tags:
- attack.defense_evasion
- attack.t1078.004
logsource:
product: azure
service: auditlogs
detection:
selection:
Category: KeyManagement
OperationName: Read BitLocker key
condition: selection
falsepositives:
- Unknown
level: medium
24 changes: 24 additions & 0 deletions src/main/resources/rules/azure/azure_ad_device_registration_or_join_without_mfa.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
title: Device Registration or Join Without MFA
id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
status: test
description: Monitor and alert for device registration or join events where MFA was not performed.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
author: Michael Epping, '@mepples21'
date: 2022/06/28
tags:
- attack.defense_evasion
- attack.t1078.004
logsource:
product: azure
service: signinlogs
detection:
selection:
ResourceDisplayName: 'Device Registration Service'
conditionalAccessStatus: 'success'
filter_mfa:
AuthenticationRequirement: 'multiFactorAuthentication'
condition: selection and not filter_mfa
falsepositives:
- Unknown
level: medium
Loading

0 comments on commit edfff4b

Please sign in to comment.