Skip to content

Add correlation rules: MFA fatigue, Azure→AWS pivot, LSASS→AssumeRole#5982

Closed
cray44 wants to merge 1 commit into
SigmaHQ:masterfrom
cray44:add-correlation-rules
Closed

Add correlation rules: MFA fatigue, Azure→AWS pivot, LSASS→AssumeRole#5982
cray44 wants to merge 1 commit into
SigmaHQ:masterfrom
cray44:add-correlation-rules

Conversation

@cray44
Copy link
Copy Markdown

@cray44 cray44 commented May 3, 2026

Summary

Adds three Sigma correlation rules in a new rules-correlation/ directory, covering cross-source detection chains that cannot be expressed in standard single-logsource Sigma rules.

These reference existing SigmaHQ rules by ID and follow the Sigma correlation specification.

Rules

1. rules-correlation/cloud/azure_ad_mfa_fatigue.yml (T1621)

  • Type: event_count
  • Detects MFA push fatigue: ≥10 MFA denials for a single user within 10 minutes
  • References: e40f4962 (Multifactor Authentication Denied)
  • Actor context: Scattered Spider, APT29 — documented in CISA AA23-320A

2. rules-correlation/cloud/azure_ad_impossible_travel_followed_by_aws_console_login.yml (T1078, T1078.004)

  • Type: temporal_ordered
  • Detects Azure AD impossible travel alert followed within 1 hour by AWS console login without MFA for the same user — cross-cloud identity pivot pattern
  • References: b2572bf9 (Impossible Travel) → 77caf516 (AWS Successful Console Login Without MFA)
  • Note: group-by: user.name requires SIEM normalization across Azure AD and AWS CloudTrail log sources

3. rules-correlation/endpoint/win_lsass_dump_followed_by_aws_sts_assumerole.yml (T1003.001, T1078.004)

  • Type: temporal_ordered
  • Detects Windows LSASS credential access followed within 4 hours by AWS STS AssumeRole — endpoint credential theft → cloud pivot
  • References: 962fe167 (LSASS Access From Non System Account) → 905d389b (AWS STS AssumeRole Misuse)
  • Note: group-by: user.name requires SIEM normalization across Windows Security and AWS CloudTrail log sources
  • Actor context: ALPHV/BlackCat, Scattered Spider, LAPSUS$

Notes

  • rules-correlation/ directory is new — proposing it as the home for Sigma correlation rules. Happy to adjust the path per maintainer preference.
  • Cross-source group-by fields (user.name) follow ECS normalization conventions; CIM equivalent is user.
  • All referenced base rules are existing SigmaHQ rules in good standing.

@github-actions github-actions Bot added the Review Needed The PR requires review label May 3, 2026
swachchhanda000
swachchhanda000 reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@swachchhanda000 swachchhanda000 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @cray44,

Thanks for the submission. Correlation rules are not yet supported/accepted in this repo. For now, I am closing this PR. However, when we do support them, we will revisit this PR via #5759

@swachchhanda000 swachchhanda000 mentioned this pull request May 4, 2026
Draft
12 tasks
@cray44
Copy link
Copy Markdown
Author

cray44 commented May 5, 2026

Thanks, I will keep an eye on correlation-rules repo if/when it exists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swachchhanda000 swachchhanda000 swachchhanda000 left review comments

Assignees

No one assigned

Labels

Correlation-Rules Correlation-Rules-To-Migrate Review Needed The PR requires review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cray44 @swachchhanda000