Sigma Compliance Rules
This section displays SIGMA rules belonging to category Compliance. It updates itself automatically when new commits are available in quasarops.
| Title |
Cleartext Protocol Usage |
| rule_category |
compliance |
| rule_url |
https://github.com/Neo23x0/sigma/blob/master/rules/compliance/cleartext_protocols.yml |
| author |
Alexandr Yampolskyi, SOC Prime |
| status |
stable |
| date |
2019/03/26 |
| description |
Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. Ensure that an encryption is used for all sensitive information in transit. Ensure that an encrypted channels is used for all administrative account access. |
| tags |
CSC4 CSC4.5 CSC14 CSC14.4 CSC16 CSC16.5 NIST CSF 1.1 PR.AT-2 NIST CSF 1.1 PR.MA-2 NIST CSF 1.1 PR.PT-3 NIST CSF 1.1 PR.AC-1 NIST CSF 1.1 PR.AC-4 NIST CSF 1.1 PR.AC-5 NIST CSF 1.1 PR.AC-6 NIST CSF 1.1 PR.AC-7 NIST CSF 1.1 PR.DS-1 NIST CSF 1.1 PR.DS-2 NIST CSF 1.1 PR.PT-3 NIST CSF 1.1 PR.PT-3 ISO 27002-2013 A.9.2.1 ISO 27002-2013 A.9.2.2 ISO 27002-2013 A.9.2.3 ISO 27002-2013 A.9.2.4 ISO 27002-2013 A.9.2.5 ISO 27002-2013 A.9.2.6 ISO 27002-2013 A.9.3.1 ISO 27002-2013 A.9.4.1 ISO 27002-2013 A.9.4.2 ISO 27002-2013 A.9.4.3 ISO 27002-2013 A.9.4.4 ISO 27002-2013 A.8.3.1 ISO 27002-2013 A.9.1.1 ISO 27002-2013 A.10.1.1 PCI DSS 3.2 2.1 PCI DSS 3.2 8.1 PCI DSS 3.2 8.2 PCI DSS 3.2 8.3 PCI DSS 3.2 8.7 PCI DSS 3.2 8.8 PCI DSS 3.2 1.3 PCI DSS 3.2 1.4 PCI DSS 3.2 4.3 PCI DSS 3.2 7.1 PCI DSS 3.2 7.2 PCI DSS 3.2 7.3 |
| Title |
Default Credentials Usage |
| rule_category |
compliance |
| rule_url |
https://github.com/Neo23x0/sigma/blob/master/rules/compliance/default_credentials_usage.yml |
| author |
Alexandr Yampolskyi, SOC Prime |
| status |
stable |
| date |
2019/03/26 |
| description |
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. |
| tags |
CSC4 CSC4.2 NIST CSF 1.1 PR.AC-4 NIST CSF 1.1 PR.AT-2 NIST CSF 1.1 PR.MA-2 NIST CSF 1.1 PR.PT-3 ISO 27002-2013 A.9.1.1 ISO 27002-2013 A.9.2.2 ISO 27002-2013 A.9.2.3 ISO 27002-2013 A.9.2.4 ISO 27002-2013 A.9.2.5 ISO 27002-2013 A.9.2.6 ISO 27002-2013 A.9.3.1 ISO 27002-2013 A.9.4.1 ISO 27002-2013 A.9.4.2 ISO 27002-2013 A.9.4.3 ISO 27002-2013 A.9.4.4 PCI DSS 3.2 2.1 PCI DSS 3.2 7.1 PCI DSS 3.2 7.2 PCI DSS 3.2 7.3 PCI DSS 3.2 8.1 PCI DSS 3.2 8.2 PCI DSS 3.2 8.3 PCI DSS 3.2 8.7 |
| Title |
Group Modification Logging |
| rule_category |
compliance |
| rule_url |
https://github.com/Neo23x0/sigma/blob/master/rules/compliance/group_modification_logging.yml |
| author |
Alexandr Yampolskyi, SOC Prime |
| status |
stable |
| date |
2019/03/26 |
| description |
Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Sigma detects Event ID 4728 indicates a ‘Member is added to a Security Group’. Event ID 4729 indicates a ‘Member is removed from a Security enabled-group’. Event ID 4730 indicates a‘Security Group is deleted’. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019, Windows Server 2000, Windows 2003 and XP. |
| tags |
CSC4 CSC4.8 NIST CSF 1.1 PR.AC-4 NIST CSF 1.1 PR.AT-2 NIST CSF 1.1 PR.MA-2 NIST CSF 1.1 PR.PT-3 ISO 27002-2013 A.9.1.1 ISO 27002-2013 A.9.2.2 ISO 27002-2013 A.9.2.3 ISO 27002-2013 A.9.2.4 ISO 27002-2013 A.9.2.5 ISO 27002-2013 A.9.2.6 ISO 27002-2013 A.9.3.1 ISO 27002-2013 A.9.4.1 ISO 27002-2013 A.9.4.2 ISO 27002-2013 A.9.4.3 ISO 27002-2013 A.9.4.4 PCI DSS 3.2 2.1 PCI DSS 3.2 7.1 PCI DSS 3.2 7.2 PCI DSS 3.2 7.3 PCI DSS 3.2 8.1 PCI DSS 3.2 8.2 PCI DSS 3.2 8.3 PCI DSS 3.2 8.7 |
| Title |
Host Without Firewall |
| rule_category |
compliance |
| rule_url |
https://github.com/Neo23x0/sigma/blob/master/rules/compliance/host_without_firewall.yml |
| author |
Alexandr Yampolskyi, SOC Prime |
| status |
stable |
| date |
2019/03/19 |
| description |
Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. |
| tags |
CSC9 CSC9.4 NIST CSF 1.1 PR.AC-5 NIST CSF 1.1 PR.AC-6 NIST CSF 1.1 PR.AC-7 NIST CSF 1.1 DE.AE-1 ISO 27002-2013 A.9.1.2 ISO 27002-2013 A.13.2.1 ISO 27002-2013 A.13.2.2 ISO 27002-2013 A.14.1.2 PCI DSS 3.2 1.4 |
| Title |
Locked Workstation |
| rule_category |
compliance |
| rule_url |
https://github.com/Neo23x0/sigma/blob/master/rules/compliance/workstation_was_locked.yml |
| author |
Alexandr Yampolskyi, SOC Prime |
| status |
stable |
| date |
2019/03/26 |
| description |
Automatically lock workstation sessions after a standard period of inactivity. The case is not applicable for Unix OS. Supported OS - Windows 2008 R2 and 7, Windows 2012 R2 and 8.1, Windows 2016 and 10 Windows Server 2019. |
| tags |
CSC16 CSC16.11 ISO27002-2013 A.9.1.1 ISO27002-2013 A.9.2.1 ISO27002-2013 A.9.2.2 ISO27002-2013 A.9.2.3 ISO27002-2013 A.9.2.4 ISO27002-2013 A.9.2.5 ISO27002-2013 A.9.2.6 ISO27002-2013 A.9.3.1 ISO27002-2013 A.9.4.1 ISO27002-2013 A.9.4.3 ISO27002-2013 A.11.2.8 PCI DSS 3.1 7.1 PCI DSS 3.1 7.2 PCI DSS 3.1 7.3 PCI DSS 3.1 8.7 PCI DSS 3.1 8.8 NIST CSF 1.1 PR.AC-1 NIST CSF 1.1 PR.AC-4 NIST CSF 1.1 PR.AC-6 NIST CSF 1.1 PR.AC-7 NIST CSF 1.1 PR.PT-3 |