diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Account - Master Password Changed.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Account - Master Password Changed.yml new file mode 100644 index 0000000..aa2361e --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Account - Master Password Changed.yml @@ -0,0 +1,17 @@ +title: Account - Master Password Changed +description: Detects when Keeper Security Account master password is changed. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*account*' + string_condition_0: + eventName: '*change_master_password*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/BreachWatch - Detected High-Risk Record Password.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/BreachWatch - Detected High-Risk Record Password.yml new file mode 100644 index 0000000..140655a --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/BreachWatch - Detected High-Risk Record Password.yml @@ -0,0 +1,17 @@ +title: BreachWatch - Detected High-Risk Record Password +description: Detects when Keeper Security's BreachWatch service identifies a high-risk password record. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*breachwatch*' + string_condition_0: + eventName: '*bw_record_high_risk*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/BreachWatch - Ignored High-Risk Record Password.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/BreachWatch - Ignored High-Risk Record Password.yml new file mode 100644 index 0000000..241dd82 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/BreachWatch - Ignored High-Risk Record Password.yml @@ -0,0 +1,17 @@ +title: BreachWatch - Ignored High-Risk Record Password +description: Detects when Keeper Security's BreachWatch service identifies a high-risk password record that has been ignored by the user. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*breachwatch*' + string_condition_0: + eventName: '*bw_record_ignored*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/General Usage - Audit Sync Failed.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/General Usage - Audit Sync Failed.yml new file mode 100644 index 0000000..79accf5 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/General Usage - Audit Sync Failed.yml @@ -0,0 +1,17 @@ +title: General Usage - Audit Sync Failed +description: Detects when Keeper Security Audit Sync fails. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*usage*' + string_condition_0: + eventName: '*audit_sync_failed*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/General Usage - User Deleted a Record.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/General Usage - User Deleted a Record.yml new file mode 100644 index 0000000..3efa85c --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/General Usage - User Deleted a Record.yml @@ -0,0 +1,17 @@ +title: General Usage - User Deleted a Record +description: Detects when Keeper Security users delete a record from their vault. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*usage*' + string_condition_0: + eventName: '*record_delete*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Login Failed.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Login Failed.yml new file mode 100644 index 0000000..4f6a5dc --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Login Failed.yml @@ -0,0 +1,17 @@ +title: Login Failed +description: Detects when Keeper Security Login fails +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*login*' + string_condition_0: + eventName: '*login_failure*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Added.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Added.yml new file mode 100644 index 0000000..6f8e5f6 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Added.yml @@ -0,0 +1,17 @@ +title: Policy - Admin Permission Added +description: Detects when Keeper Security Admin permissions are added via Policy. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*policy*' + string_condition_0: + eventName: '*admin_permission_added*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Removed.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Removed.yml new file mode 100644 index 0000000..0901a05 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Policy - Admin Permission Removed.yml @@ -0,0 +1,17 @@ +title: Policy - Admin Permission Removed +description: Detects when Keeper Security Admin permissions are removed via Policy. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*policy*' + string_condition_0: + eventName: '*admin_permission_removed*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Security - Two-Factor Authentication Disabled.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Security - Two-Factor Authentication Disabled.yml new file mode 100644 index 0000000..028ee47 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Security - Two-Factor Authentication Disabled.yml @@ -0,0 +1,17 @@ +title: Security - Two-Factor Authentication Disabled +description: Detects when Keeper Security Two-Factor Authentication is disabled. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*security*' + string_condition_0: + eventName: '*set_two_factor_off*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file diff --git a/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Security - User Blocked via IP Address.yml b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Security - User Blocked via IP Address.yml new file mode 100644 index 0000000..e398f52 --- /dev/null +++ b/tm-v1-sigma-rules/third_party_logs/Keeper Security/Enterprise Security/Security - User Blocked via IP Address.yml @@ -0,0 +1,17 @@ +title: Security - User Blocked from IP Address +description: Detects when Keeper Security User is blocked from IP Address. +references: + - https://docs.keeper.io/en/enterprise-guide/event-reporting/event-descriptions +tags: [] +logsource: + category: THIRD_PARTY_LOG + product: Keeper Security + definition: THIRDPARTY_THIRDPARTY +detection: + cat: + category: '*security*' + string_condition_0: + eventName: '*login_failed_ip_whitelist*' + condition: cat and string_condition_0 +level: info +taxonomy: tm-v1 \ No newline at end of file