Merge PR #4479 From @frack113 - Upgrade Rules Status

chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Oct 17, 2023 · 020fc80 · 020fc80
1 parent 92874da
commit 020fc80
Show file tree

Hide file tree

Showing 557 changed files with 635 additions and 636 deletions.
diff --git a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml
@@ -1,6 +1,6 @@
 title: Account Created And Deleted By Non Approved Users
 id: c98184ba-4a27-4e10-b7b7-da48e71f4d25
-status: experimental
+status: test
 description: Detects accounts that are created or deleted by non-approved users.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts

diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml
@@ -1,6 +1,6 @@
 title: Authentication Occuring Outside Normal Business Hours
 id: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526
-status: experimental
+status: test
 description: Detects user signs ins outside of normal business hours.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins

diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml
@@ -1,6 +1,6 @@
 title: Privilege Role Elevation Not Occuring on SAW or PAW
 id: 38a5e67b-436a-4e77-9f73-f48a82626890
-status: experimental
+status: test
 description: Detects failed sign-in from a PAW or SAW device
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor

diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml
@@ -1,6 +1,6 @@
 title: Privilege Role Sign-In Outside Expected Controls
 id: cf1e5687-84e1-41af-97a9-158094efef53
-status: experimental
+status: test
 description: Detects failed sign-in due to user not meeting expected controls for adminitrators
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor

diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml
@@ -1,6 +1,6 @@
 title: Privilege Role Sign-In Outside Of Normal Hours
 id: e927a2f5-e7af-424f-ace7-70ebb49e8976
-status: experimental
+status: test
 description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor

diff --git a/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml b/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml
@@ -1,6 +1,6 @@
 title: Recon Activity via SASec
 id: 0a3ff354-93fc-4273-8a03-1078782de5b7
-status: experimental
+status: test
 description: Detects remote RPC calls to read information about scheduled tasks via SASec
 references:
     - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931

diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml b/rules/cloud/aws/cloudtrail/aws_ec2_startup_script_change.yml
@@ -1,6 +1,6 @@
 title: AWS EC2 Startup Shell Script Change
 id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
-status: experimental
+status: test
 description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9

diff --git a/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml b/rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml
@@ -1,6 +1,6 @@
 title: AWS EC2 VM Export Failure
 id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
-status: experimental
+status: test
 description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
 references:
     - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance

diff --git a/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml
@@ -1,6 +1,6 @@
 title: AWS Glue Development Endpoint Activity
 id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
-status: experimental
+status: test
 description: Detects possible suspicious glue development endpoint activity.
 references:
     - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

diff --git a/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml b/rules/cloud/aws/cloudtrail/aws_rds_change_master_password.yml
@@ -1,6 +1,6 @@
 title: AWS RDS Master Password Change
 id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
-status: experimental
+status: test
 description: Detects the change of database master password. It may be a part of data exfiltration.
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py

diff --git a/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_gateway_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Application Gateway Modified or Deleted
 id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
-status: experimental
+status: test
 description: Identifies when a application gateway is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_application_security_group_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Application Security Group Modified or Deleted
 id: 835747f1-9329-40b5-9cc3-97d465754ce6
-status: experimental
+status: test
 description: Identifies when a application security group is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Container Registry Created or Deleted
 id: 93e0ef48-37c8-49ed-a02c-038aab23628e
-status: experimental
+status: test
 description: Detects when a Container Registry is created or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_dns_zone_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure DNS Zone Modified or Deleted
 id: af6925b0-8826-47f1-9324-337507a0babd
-status: experimental
+status: test
 description: Identifies when DNS zone is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Firewall Modified or Deleted
 id: 512cf937-ea9b-4332-939c-4c2c94baadcd
-status: experimental
+status: test
 description: Identifies when a firewall is created, modified, or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_firewall_rule_collection_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Firewall Rule Collection Modified or Deleted
 id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
-status: experimental
+status: test
 description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_key_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Keyvault Key Modified or Deleted
 id: 80eeab92-0979-4152-942d-96749e11df40
-status: experimental
+status: test
 description: Identifies when a Keyvault Key is modified or deleted in Azure.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Key Vault Modified or Deleted
 id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
-status: experimental
+status: test
 description: Identifies when a key vault is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_keyvault_secrets_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Keyvault Secrets Modified or Deleted
 id: b831353c-1971-477b-abb6-2828edc3bca1
-status: experimental
+status: test
 description: Identifies when secrets are modified or deleted in Azure.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_admission_controller.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes Admission Controller
 id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
-status: experimental
+status: test
 description: |
   Identifies when an admission controller is executed in Azure Kubernetes.
   A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes Cluster Created or Deleted
 id: 9541f321-7cba-4b43-80fc-fbd1fb922808
-status: experimental
+status: test
 description: Detects when a Azure Kubernetes Cluster is created or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes CronJob
 id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a
-status: experimental
+status: test
 description: |
   Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
   Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes Events Deleted
 id: 225d8b09-e714-479c-a0e4-55e6f29adf35
-status: experimental
+status: test
 description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes Network Policy Change
 id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
-status: experimental
+status: test
 description: Identifies when a Azure Kubernetes network policy is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes Pods Deleted
 id: b02f9591-12c3-4965-986a-88028629b2e1
-status: experimental
+status: test
 description: Identifies the deletion of Azure Kubernetes Pods.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes Sensitive Role Access
 id: 818fee0c-e0ec-4e45-824e-83e4817b0887
-status: experimental
+status: test
 description: Identifies when ClusterRoles/Roles are being modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
 id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
-status: experimental
+status: test
 description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes Secret or Config Object Access
 id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
-status: experimental
+status: test
 description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Kubernetes Service Account Modified or Deleted
 id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
-status: experimental
+status: test
 description: Identifies when a service account is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes

diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_policy_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Network Firewall Policy Modified or Deleted
 id: 83c17918-746e-4bd9-920b-8e098bf88c23
-status: experimental
+status: test
 description: Identifies when a Firewall Policy is Modified or Deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_firewall_rule_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Firewall Rule Configuration Modified or Deleted
 id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067
-status: experimental
+status: test
 description: Identifies when a Firewall Rule Configuration is Modified or Deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_p2s_vpn_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Point-to-site VPN Modified or Deleted
 id: d9557b75-267b-4b43-922f-a775e2d1f792
-status: experimental
+status: test
 description: Identifies when a Point-to-site VPN is Modified or Deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_security_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Network Security Configuration Modified or Deleted
 id: d22b4df4-5a67-4859-a578-8c9a0b5af9df
-status: experimental
+status: test
 description: Identifies when a network security configuration is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_network_virtual_device_modified_or_deleted.yml
@@ -1,9 +1,9 @@
 title: Azure Virtual Network Device Modified or Deleted
 id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
-status: experimental
+status: test
 description: |
-  Identifies when a virtual network device is being modified or deleted.
-  This can be a network interface, network virtual appliance, virtual hub, or virtual router.
+    Identifies when a virtual network device is being modified or deleted.
+    This can be a network interface, network virtual appliance, virtual hub, or virtual router.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
 author: Austin Songer @austinsonger

diff --git a/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml b/rules/cloud/azure/activity_logs/azure_new_cloudshell_created.yml
@@ -1,6 +1,6 @@
 title: Azure New CloudShell Created
 id: 72af37e2-ec32-47dc-992b-bc288a2708cb
-status: experimental
+status: test
 description: Identifies when a new cloudshell is created inside of Azure portal.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/...s/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml b/...s/cloud/azure/activity_logs/azure_subscription_permissions_elevation_via_activitylogs.yml
@@ -1,10 +1,10 @@
 title: Azure Subscription Permission Elevation Via ActivityLogs
 id: 09438caa-07b1-4870-8405-1dbafe3dad95
-status: experimental
+status: test
 description: |
-  Detects when a user has been elevated to manage all Azure Subscriptions.
-  This change should be investigated immediately if it isn't planned.
-  This setting could allow an attacker access to Azure subscriptions in your environment.
+    Detects when a user has been elevated to manage all Azure Subscriptions.
+    This change should be investigated immediately if it isn't planned.
+    This setting could allow an attacker access to Azure subscriptions in your environment.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
 author: Austin Songer @austinsonger

diff --git a/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml b/rules/cloud/azure/activity_logs/azure_suppression_rule_created.yml
@@ -1,6 +1,6 @@
 title: Azure Suppression Rule Created
 id: 92cc3e5d-eb57-419d-8c16-5c63f325a401
-status: experimental
+status: test
 description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_virtual_network_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure Virtual Network Modified or Deleted
 id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f
-status: experimental
+status: test
 description: Identifies when a Virtual Network is modified or deleted in Azure.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/activity_logs/azure_vpn_connection_modified_or_deleted.yml
@@ -1,6 +1,6 @@
 title: Azure VPN Connection Modified or Deleted
 id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3
-status: experimental
+status: test
 description: Identifies when a VPN connection is modified or deleted.
 references:
     - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_removedby_bad_actor.yml
@@ -1,6 +1,6 @@
 title: CA Policy Removed by Non Approved Actor
 id: 26e7c5e2-6545-481e-b7e6-050143459635
-status: experimental
+status: test
 description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access

diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_ca_policy_updatedby_bad_actor.yml
@@ -1,6 +1,6 @@
 title: CA Policy Updated by Non Approved Actor
 id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
-status: experimental
+status: test
 description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access

diff --git a/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml b/rules/cloud/azure/audit_logs/azure_aad_secops_new_ca_policy_addedby_bad_actor.yml
@@ -1,6 +1,6 @@
 title: New CA Policy by Non-approved Actor
 id: 0922467f-db53-4348-b7bf-dee8d0d348c6
-status: experimental
+status: test
 description: Monitor and alert on conditional access changes.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure

diff --git a/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml b/rules/cloud/azure/audit_logs/azure_ad_account_created_deleted.yml
@@ -1,6 +1,6 @@
 title: Account Created And Deleted Within A Close Time Frame
 id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
-status: experimental
+status: test
 description: Detects when an account was created and deleted in a short period of time.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts

diff --git a/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml b/rules/cloud/azure/audit_logs/azure_ad_bitlocker_key_retrieval.yml
@@ -1,6 +1,6 @@
 title: Bitlocker Key Retrieval
 id: a0413867-daf3-43dd-9245-734b3a787942
-status: experimental
+status: test
 description: Monitor and alert for Bitlocker key retrieval.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval

diff --git a/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml b/rules/cloud/azure/audit_logs/azure_ad_device_registration_policy_changes.yml
@@ -1,6 +1,6 @@
 title: Changes to Device Registration Policy
 id: 9494bff8-959f-4440-bbce-fb87a208d517
-status: experimental
+status: test
 description: Monitor and alert for changes to the device registration policy.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy

diff --git a/...loud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml b/...loud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml
@@ -1,6 +1,6 @@
 title: Guest Users Invited To Tenant By Non Approved Inviters
 id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865
-status: experimental
+status: test
 description: Detects guest users being invited to tenant by non-approved inviters
 references:
     - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins

diff --git a/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/audit_logs/azure_ad_users_added_to_device_admin_roles.yml
@@ -1,6 +1,6 @@
 title: Users Added to Global or Device Admin Roles
 id: 11c767ae-500b-423b-bae3-b234450736ed
-status: experimental
+status: test
 description: Monitor and alert for users added to device admin roles.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles

diff --git a/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml b/rules/cloud/azure/audit_logs/azure_app_appid_uri_changes.yml
@@ -1,6 +1,6 @@
 title: Application AppID Uri Configuration Changes
 id: 1b45b0d1-773f-4f23-aedc-814b759563b1
-status: experimental
+status: test
 description: Detects when a configuration change is made to an applications AppID URI.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed