Sigma Rules
1,473 rules found
Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
End User Consent Blocked
Detects when end user consent is blocked due to risk-based consent.
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Azure Domain Federation Settings Modified
Identifies when an user or application modified the federation settings on the domain.
User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
Guest User Invited By Non Approved Inviters
Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
User State Changed From Guest To Member
Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
Privileged Account Creation
Detects when a new admin is created.
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Password Reset By User Account
Detect when a user has reset their password in Azure AD
Account Lockout
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Successful Authentications From Countries You Do Not Operate Out Of
Detect successful authentications from countries you do not operate out of.
Increased Failed Authentications Of Any Type
Detects when sign-ins increased by 10% or greater.
Authentications To Important Apps Using Single Factor Authentication
Detect when authentications to important application(s) only required single-factor authentication
Device Registration or Join Without MFA
Monitor and alert for device registration or join events where MFA was not performed.
Application Using Device Code Authentication Flow
Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.
Applications That Are Using ROPC Authentication Flow
Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.
Account Disabled or Blocked for Sign in Attempts
Detects when an account is disabled or blocked for sign in but tried to log in
Login to Disabled Account
Detect failed attempts to sign in to disabled accounts.
Multifactor Authentication Denied
User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.
Multifactor Authentication Interrupted
Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
Azure Unusual Authentication Interruption
Detects when there is a interruption in the authentication process.
Users Authenticating To Other Azure AD Tenants
Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
User Access Blocked by Azure Conditional Access
Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
GCP Access Policy Deleted
Detects when an access policy that is applied to a GCP cloud resource is deleted. An adversary would be able to remove access policies to gain access to a GCP cloud resource.
GCP Break-glass Container Workload Deployed
Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
Google Cloud Storage Buckets Modified or Deleted
Detects when storage bucket is modified or deleted in Google Cloud.
Google Cloud Re-identifies Sensitive Information
Identifies when sensitive information is re-identified in google Cloud.
Google Cloud DNS Zone Modified or Deleted
Identifies when a DNS Zone is modified or deleted in Google Cloud.
Google Cloud Firewall Modified or Deleted
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
Google Full Network Traffic Packet Capture
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
Google Cloud Kubernetes Admission Controller
Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Google Cloud Kubernetes CronJob
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Google Cloud Kubernetes RoleBinding
Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
Google Cloud Kubernetes Secrets Modified or Deleted
Identifies when the Secrets are Modified or Deleted.
Google Cloud Service Account Disabled or Deleted
Identifies when a service account is disabled or deleted in Google Cloud.
Google Cloud Service Account Modified
Identifies when a service account is modified in Google Cloud.
Google Cloud SQL Database Modified or Deleted
Detect when a Cloud SQL DB has been modified or deleted.
Google Cloud VPN Tunnel Modified or Deleted
Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
Google Workspace Application Access Level Modified
Detects when an access level is changed for a Google workspace application. An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model. An adversary would be able to remove access levels to gain easier access to Google workspace resources.
Google Workspace Application Removed
Detects when an an application is removed from Google Workspace.
Google Workspace Granted Domain API Access
Detects when an API access service account is granted domain authority.
Google Workspace MFA Disabled
Detects when multi-factor authentication (MFA) is disabled.
Google Workspace Role Modified or Deleted
Detects when an a role is modified or deleted in Google Workspace.