Sigma Rules
3,332 rules found
Azure Keyvault Key Modified or Deleted
Identifies when a Keyvault Key is modified or deleted in Azure.
Azure Key Vault Modified or Deleted
Identifies when a key vault is modified or deleted.
Azure Keyvault Secrets Modified or Deleted
Identifies when secrets are modified or deleted in Azure.
Azure Kubernetes Admission Controller
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Kubernetes Cluster Created or Deleted
Detects when a Azure Kubernetes Cluster is created or deleted.
Azure Kubernetes CronJob
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Azure Kubernetes Events Deleted
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Azure Kubernetes Network Policy Change
Identifies when a Azure Kubernetes network policy is modified or deleted.
Azure Kubernetes Pods Deleted
Identifies the deletion of Azure Kubernetes Pods.
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Azure Kubernetes Sensitive Role Access
Identifies when ClusterRoles/Roles are being modified or deleted.
Azure Kubernetes Secret or Config Object Access
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
Azure Kubernetes Service Account Modified or Deleted
Identifies when a service account is modified or deleted.
Disabled MFA to Bypass Authentication Mechanisms
Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.
Azure Network Firewall Policy Modified or Deleted
Identifies when a Firewall Policy is Modified or Deleted.
Azure Firewall Rule Configuration Modified or Deleted
Identifies when a Firewall Rule Configuration is Modified or Deleted.
Azure Point-to-site VPN Modified or Deleted
Identifies when a Point-to-site VPN is Modified or Deleted.
Azure Network Security Configuration Modified or Deleted
Identifies when a network security configuration is modified or deleted.
Azure Virtual Network Device Modified or Deleted
Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
Azure New CloudShell Created
Identifies when a new cloudshell is created inside of Azure portal.
Azure Owner Removed From Application or Service Principal
Identifies when a owner is was removed from a application or service principal in Azure.
Rare Subscription-level Operations In Azure
Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
Azure Service Principal Created
Identifies when a service principal is created in Azure.
Azure Service Principal Removed
Identifies when a service principal was removed in Azure.
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Azure Suppression Rule Created
Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
Azure Virtual Network Modified or Deleted
Identifies when a Virtual Network is modified or deleted in Azure.
Azure VPN Connection Modified or Deleted
Identifies when a VPN connection is modified or deleted.
CA Policy Removed by Non Approved Actor
Monitor and alert on conditional access changes where non approved actor removed CA Policy.
CA Policy Updated by Non Approved Actor
Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
New CA Policy by Non-approved Actor
Monitor and alert on conditional access changes.
Account Created And Deleted Within A Close Time Frame
Detects when an account was created and deleted in a short period of time.
Bitlocker Key Retrieval
Monitor and alert for Bitlocker key retrieval.
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles.
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
End User Consent
Detects when an end user consents to an application
End User Consent Blocked
Detects when end user consent is blocked due to risk-based consent.
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.