Sigma Rules
1,701 rules found
Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Impossible Travel
Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
Suspicious Inbox Forwarding Identity Protection
Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
Suspicious Inbox Manipulation Rules
Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
Azure AD Account Credential Leaked
Indicates that the user's valid credentials have been leaked.
Malicious IP Address Sign-In Failure Rate
Indicates sign-in from a malicious IP address based on high failure rates.
Malicious IP Address Sign-In Suspicious
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
Sign-In From Malware Infected IP
Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
New Country
Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
Password Spray Activity
Indicates that a password spray attack has been successfully performed.
Primary Refresh Token Access Attempt
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
Suspicious Browser Activity
Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
SAML Token Issuer Anomaly
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
Unfamiliar Sign-In Properties
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
Stale Accounts In A Privileged Role
Identifies when an account hasn't signed in during the past n number of days.
Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
Roles Assigned Outside PIM
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
Roles Activated Too Frequently
Identifies when the same privilege role has multiple activations by the same user.
Roles Are Not Being Used
Identifies when a user has been assigned a privilege role and are not using that role.
Roles Activation Doesn't Require MFA
Identifies when a privilege role can be activated without performing mfa.
Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
Discovery Using AzureHound
Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.
Suspicious SignIns From A Non Registered Device
Detects risky authentication from a non AD registered device without MFA being required.
Sign-ins from Non-Compliant Devices
Monitor and alert for sign-ins where the device was non-compliant.
Potential MFA Bypass Using Legacy Client Authentication
Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.
Sign-in Failure Due to Conditional Access Requirements Not Met
Define a baseline threshold for failed sign-ins due to Conditional Access failures
Use of Legacy Authentication Protocols
Alert on when legacy authentication has been used on an account
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Disabling Multi Factor Authentication
Detects disabling of Multi Factor Authentication.
Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
Okta New Admin Console Behaviours
Detects when Okta identifies new activity in the Admin Console.
Potential Okta Password in AlternateID Field
Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.
Okta Suspicious Activity Reported by End-user
Detects when an Okta end-user reports activity by their account as being potentially suspicious.
Okta User Session Start Via An Anonymising Proxy Service
Detects when an Okta user session starts where the user is behind an anonymising proxy service.
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Credentials In Files - Linux
Detecting attempts to extract passwords with grep
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the `sysctl` command to set `kernel.randomize_va_space=0` Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
Linux Keylogging with Pam.d
Detect attempt to enable auditing of TTY input
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
BPFDoor Abnormal Process ID or Lock File Accessed
detects BPFDoor .lock and .pid files access in temporary file storage facility
Modification of ld.so.preload
Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
Logging Configuration Changes on Linux Host
Detect changes of syslog daemons configuration files
Disable System Firewall
Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Relevant ClamAV Message
Detects relevant ClamAV messages