Skip to content
Permalink
Browse files

New Offie365 rules...

  • Loading branch information
Champ Clark III
Champ Clark III committed Sep 28, 2018
1 parent 6f87a80 commit 19189443fdd306769c4afd7ab837da316f2690b5
Showing with 5 additions and 5 deletions.
  1. +1 −1 .last_used_sid
  2. +2 −4 office365.rules
  3. +2 −0 sagan-sid-msg.map
@@ -1 +1 @@
5003928
5003930
@@ -64,9 +64,7 @@ alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OFFICE365] ALERT_COMPROMISE
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OFFICE365] EVENT_CATEGORY_CREATE_USER"; content: "EVENT_CATEGORY_CREATE_USER"; classtype:unsuccessful-user; reference: url,docs.microsoft.com/en-us/cloud-app-security/monitor-alerts; reference: url,wiki.quadrantsec.com/bin/view/Main/5003817; sid:5003817; rev:1;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OFFICE365] EVENT_CATEGORY_DELETE_USER"; content: "EVENT_CATEGORY_DELETE_USER"; classtype:unsuccessful-user; reference: url,docs.microsoft.com/en-us/cloud-app-security/monitor-alerts; reference: url,wiki.quadrantsec.com/bin/view/Main/5003820; sid:5003820; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OFFICE365] ALERT_ANUBIS_DETECTION_REPEATED_ACTIVITY_ADMIN_ACTIVITY"; content: "ALERT_ANUBIS_DETECTION_REPEATED_ACTIVITY_ADMIN_ACTIVITY"; classtype:unsuccessful-user; reference: url,docs.microsoft.com/en-us/cloud-app-security/monitor-alerts; reference: url,wiki.quadrantsec.com/bin/view/Main/5003929; sid:5003929; rev:1;)





alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[OFFICE365] ALERT_MANAGEMENT_DISCOVERY_BREACHED_APP"; content: "ALERT_MANAGEMENT_DISCOVERY_BREACHED_APP"; classtype:unsuccessful-user; reference: url,docs.microsoft.com/en-us/cloud-app-security/monitor-alerts; reference: url,wiki.quadrantsec.com/bin/view/Main/5003930; sid:5003930; rev:1;)

5003925 || [Incapsula] Backdoor Protect || url,wiki.quadrantsec.com/bin/view/Main/5003925
5003927 || [WINDOWS-AUTH] User added to Local Administrators group || url,wiki.quadrantsec.com/bin/view/Main/5003927
5003928 || [SU] Successful sudo to user ROOT executed || url,wiki.quadrantsec.com/bin/view/Main/5003928
5003929 || [OFFICE365] ALERT_ANUBIS_DETECTION_REPEATED_ACTIVITY_ADMIN_ACTIVITY || url,wiki.quadrantsec.com/bin/view/Main/5003929 || url,docs.microsoft.com/en-us/cloud-app-security/monitor-alerts
5003930 || [OFFICE365] ALERT_MANAGEMENT_DISCOVERY_BREACHED_APP || url,wiki.quadrantsec.com/bin/view/Main/5003930 || url,docs.microsoft.com/en-us/cloud-app-security/monitor-alerts

0 comments on commit 1918944

Please sign in to comment.
You can’t perform that action at this time.