Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create net_connection_win_susp_azurefd_connection.yml #5077

Merged
merged 4 commits into from
Nov 17, 2024
Merged

Create net_connection_win_susp_azurefd_connection.yml #5077

merged 4 commits into from
Nov 17, 2024

Conversation

IsaacDunham
Copy link
Contributor

@IsaacDunham IsaacDunham commented Nov 11, 2024
edited by nasbench
Loading

Summary of the Pull Request

Adds detection rule for anomalous connections to Azure Front Door, a LOTS Project known documented potential C2 site. Pre-tuned to eliminate most false positives and validated against demo suspicious Azure Front Door connection.

This rule tunes out nearly all noise, but still has too poor a signal:noise ratio to be an alertable detection, thus I am placing this in the Threat Hunting rule collection.

Changelog

new: Potentially Suspicious Azure Front Door Connection

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@IsaacDunham
Create net_connection_win_susp_azurefd_connection.yml
76c365d 
Detects anomalous connections to Azure Front Door, a LOTS Project known documented potential C2 site. Pre-tuned to eliminate most false positives and validated against demo suspicious Azure Front Door connection.
@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Nov 11, 2024
github-actions[bot]
github-actions bot reviewed Nov 11, 2024
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @IsaacDunham 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@nasbench nasbench self-assigned this Nov 13, 2024
@nasbench nasbench added the Work In Progress Some changes are needed label Nov 13, 2024
@nasbench nasbench added 2nd Review Needed PR need a second approval and removed Work In Progress Some changes are needed labels Nov 13, 2024
@nasbench nasbench removed the 2nd Review Needed PR need a second approval label Nov 17, 2024
@nasbench nasbench merged commit 503bd67 into SigmaHQ:master Nov 17, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@frack113 frack113 frack113 approved these changes

@nasbench nasbench nasbench approved these changes

Assignees

@nasbench nasbench

Labels
Rules Windows Pull request add/update windows related rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@IsaacDunham @nasbench @frack113