Sigma Rules
32 rules found for "Muhammad Faisal"
Bitbucket Full Data Export Triggered
Detects when full data export is attempted.
Bitbucket Global Permission Changed
Detects global permissions change activity.
Bitbucket Global Secret Scanning Rule Deleted
Detects Bitbucket global secret scanning rule deletion activity.
Bitbucket Global SSH Settings Changed
Detects Bitbucket global SSH access configuration changes.
Bitbucket Audit Log Configuration Updated
Detects changes to the bitbucket audit log configuration.
Bitbucket Project Secret Scanning Allowlist Added
Detects when a secret scanning allowlist rule is added for projects.
Bitbucket Secret Scanning Exempt Repository Added
Detects when a repository is exempted from secret scanning feature.
Bitbucket Secret Scanning Rule Deleted
Detects when secret scanning rule is deleted for the project or repository.
Bitbucket Unauthorized Access To A Resource
Detects unauthorized access attempts to a resource.
Bitbucket Unauthorized Full Data Export Triggered
Detects when full data export is attempted an unauthorized user.
Bitbucket User Details Export Attempt Detected
Detects user data export activity.
Bitbucket User Login Failure
Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.
Bitbucket User Login Failure Via SSH
Detects SSH user login access failures. Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.
Bitbucket User Permissions Export Attempt
Detects user permission data export attempt.
Github Delete Action Invoked
Detects delete action in the Github audit logs for codespaces, environment, project and repo.
Outdated Dependency Or Vulnerability Alert Disabled
Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.
Github High Risk Configuration Disabled
Detects when a user disables a critical security feature for an organization.
New Github Organization Member Added
Detects when a new member is added or invited to a github organization.
Github New Secret Created
Detects when a user creates action secret for the organization, environment, codespaces or repository.
Github Outside Collaborator Detected
Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
Github Push Protection Bypass Detected
Detects when a user bypasses the push protection on a secret detected by secret scanning.
Github Push Protection Disabled
Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
Github Secret Scanning Feature Disabled
Detects if the secret scanning feature is disabled for an enterprise or repository.
Github Self Hosted Runner Changes Detected
A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.
Okta Admin Functions Access Through Proxy
Detects access to Okta admin functions through proxy.
Potential Linux Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
DNS Query Request By QuickAssist.EXE
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
Potentially Suspicious Usage Of Qemu
Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
QuickAssist Execution
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
Potential Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Okta 2023 Breach Indicator Of Compromise
Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach. This rule can be enhanced by filtering out known and legitimate username used in your environnement.
Okta Password Health Report Query
Detects all activities against the endpoint "/reports/password-health/*" which should only be accessed via OKTA Admin Console UI. Use this rule to hunt for potential suspicious requests. Correlate this event with "admin console" login and alert on requests without any corresponding admin console login