Sigma Rules
115 rules found for "Austin Songer"
Azure Domain Federation Settings Modified
Identifies when an user or application modified the federation settings on the domain.
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Azure Unusual Authentication Interruption
Detects when there is a interruption in the authentication process.
Google Cloud Storage Buckets Enumeration
Detects when storage bucket is enumerated in Google Cloud.
Google Cloud Storage Buckets Modified or Deleted
Detects when storage bucket is modified or deleted in Google Cloud.
Google Cloud Re-identifies Sensitive Information
Identifies when sensitive information is re-identified in google Cloud.
Google Cloud DNS Zone Modified or Deleted
Identifies when a DNS Zone is modified or deleted in Google Cloud.
Google Cloud Firewall Modified or Deleted
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
Google Full Network Traffic Packet Capture
Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
Google Cloud Kubernetes Admission Controller
Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Google Cloud Kubernetes CronJob
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Google Cloud Kubernetes RoleBinding
Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
Google Cloud Kubernetes Secrets Modified or Deleted
Identifies when the Secrets are Modified or Deleted.
Google Cloud Service Account Disabled or Deleted
Identifies when a service account is disabled or deleted in Google Cloud.
Google Cloud Service Account Modified
Identifies when a service account is modified in Google Cloud.
Google Cloud SQL Database Modified or Deleted
Detect when a Cloud SQL DB has been modified or deleted.
Google Cloud VPN Tunnel Modified or Deleted
Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
Google Workspace Application Removed
Detects when an an application is removed from Google Workspace.
Google Workspace Granted Domain API Access
Detects when an API access service account is granted domain authority.
Google Workspace MFA Disabled
Detects when multi-factor authentication (MFA) is disabled.
Google Workspace Role Modified or Deleted
Detects when an a role is modified or deleted in Google Workspace.
Google Workspace Role Privilege Deleted
Detects when an a role privilege is deleted in Google Workspace.
Google Workspace User Granted Admin Privileges
Detects when an Google Workspace user is granted admin privileges.
Activity from Suspicious IP Addresses
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
Activity Performed by Terminated User
Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
Activity from Anonymous IP Addresses
Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
Activity from Infrequent Country
Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
Data Exfiltration to Unsanctioned Apps
Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
Microsoft 365 - Impossible Travel Activity
Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
Logon from a Risky IP Address
Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
Microsoft 365 - Potential Ransomware Activity
Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
Suspicious Inbox Forwarding
Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Suspicious OAuth App File Download Activities
Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
Microsoft 365 - Unusual Volume of File Deletion
Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
Microsoft 365 - User Restricted from Sending Email
Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
Okta Admin Role Assigned to an User or Group
Detects when an the Administrator role is assigned to an user or group.
Okta API Token Created
Detects when a API token is created
Okta API Token Revoked
Detects when a API Token is revoked.
Okta Application Modified or Deleted
Detects when an application is modified or deleted.
Okta Application Sign-On Policy Modified or Deleted
Detects when an application Sign-on Policy is modified or deleted.
Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
Okta MFA Reset or Deactivated
Detects when an attempt at deactivating or resetting MFA.
Okta Network Zone Deactivated or Deleted
Detects when an Network Zone is Deactivated or Deleted.
Okta Policy Modified or Deleted
Detects when an Okta policy is modified or deleted.
Okta Policy Rule Modified or Deleted
Detects when an Policy Rule is Modified or Deleted.
Okta Security Threat Detected
Detects when an security threat is detected in Okta.
Okta Unauthorized Access to App
Detects when unauthorized access to app occurs.
Okta User Account Locked Out
Detects when an user account is locked out.