Merge branch 'master' into rule-devel

.github/workflows/known-FPs.csv

@@ -39,3 +39,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe
 949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon
+fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.*

rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml

@@ -26,7 +26,7 @@ detection:
 falsepositives:
      - Not using a PAW/SAW in the environment
 tags:
-    - attack.valid_accounts
+    - attack.defense_evasion
     - attack.privilege_escalation
     - attack.t1078
 level: high

rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml

@@ -22,6 +22,6 @@ detection:
 falsepositives:
      - A legit admin not following proper processes
 tags:
-    - attack.valid_accounts
+    - attack.defense_evasion
     - attack.t1078
 level: high

rules/application/antivirus/av_hacktool.yml

@@ -1,11 +1,15 @@
 title: Antivirus Hacktool Detection
 id: fa0c05b6-8ad3-468d-8231-c1cbccb64fba
+status: test
 description: Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool
-status: experimental
-date: 2021/08/16
-author: Florian Roth
 references:
     - https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/
+author: Florian Roth
+date: 2021/08/16
+modified: 2022/10/09
+tags:
+    - attack.execution
+    - attack.t1204
 logsource:
     category: antivirus
 detection:
@@ -18,12 +22,9 @@ detection:
         - Signature|contains:
             - 'Hacktool'
     condition: selection
-fields:
-    - FileName
-    - User
 falsepositives:
     - Unlikely
 level: high
-tags:
-    - attack.execution
-    - attack.t1204
+fields:
+    - FileName
+    - User

rules/apt/apt_silence_eda.yml

@@ -1,41 +1,45 @@
 title: Silence.EDA Detection
 id: 3ceb2083-a27f-449a-be33-14ec1b7cc973
 status: test
-description: Detects Silence empireDNSagent
+description: Detects Silence EmpireDNSAgent as described in the Group-IP report
 author: Alina Stepchenkova, Group-IB, oscd.community
 date: 2019/11/01
-modified: 2021/11/27
+modified: 2022/10/05
+references:
+    - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
 logsource:
-  product: windows
-  service: powershell
+    product: windows
+    service: powershell
 detection:
-  empire:
-    ScriptBlockText|contains|all:               # better to randomise the order
-      - 'System.Diagnostics.Process'
-      - 'Stop-Computer'
-      - 'Restart-Computer'
-      - 'Exception in execution'
-      - '$cmdargs'
-      - 'Close-Dnscat2Tunnel'
-  dnscat:
-    ScriptBlockText|contains|all:               # better to randomise the order
-      - 'set type=$LookupType`nserver'
-      - '$Command | nslookup 2>&1 | Out-String'
-      - 'New-RandomDNSField'
-      - '[Convert]::ToString($SYNOptions, 16)'
-      - '$Session.Dead = $True'
-      - '$Session["Driver"] -eq'
-  condition: empire and dnscat
+    empire:
+        # better to randomise the order
+        ScriptBlockText|contains|all:
+            - 'System.Diagnostics.Process'
+            - 'Stop-Computer'
+            - 'Restart-Computer'
+            - 'Exception in execution'
+            - '$cmdargs'
+            - 'Close-Dnscat2Tunnel'
+    dnscat:
+        # better to randomise the order
+        ScriptBlockText|contains|all:
+            - 'set type=$LookupType`nserver'
+            - '$Command | nslookup 2>&1 | Out-String'
+            - 'New-RandomDNSField'
+            - '[Convert]::ToString($SYNOptions, 16)'
+            - '$Session.Dead = $True'
+            - '$Session["Driver"] -eq'
+    condition: empire and dnscat
 falsepositives:
-  - Unknown
+    - Unknown
 level: critical
 tags:
-  - attack.execution
-  - attack.t1059.001
-  - attack.command_and_control
-  - attack.t1071.004
-  - attack.t1572
-  - attack.impact
-  - attack.t1529
-  - attack.g0091
-  - attack.s0363
+    - attack.execution
+    - attack.t1059.001
+    - attack.command_and_control
+    - attack.t1071.004
+    - attack.t1572
+    - attack.impact
+    - attack.t1529
+    - attack.g0091
+    - attack.s0363

rules/cloud/aws/aws_attached_malicious_lambda_layer.yml

@@ -1,11 +1,14 @@
 title: AWS Attached Malicious Lambda Layer
 id: 97fbabf8-8e1b-47a2-b7d5-a418d2b95e3d
+status: test
 description: Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.
-author: Austin Songer
-status: experimental
-date: 2021/09/23
 references:
     - https://docs.aws.amazon.com/lambda/latest/dg/API_UpdateFunctionConfiguration.html
+author: Austin Songer
+date: 2021/09/23
+modified: 2022/10/09
+tags:
+    - attack.privilege_escalation
 logsource:
     product: aws
     service: cloudtrail
@@ -14,9 +17,7 @@ detection:
         eventSource: lambda.amazonaws.com
         eventName|startswith: 'UpdateFunctionConfiguration'
     condition: selection
-level: medium
-tags:
-    - attack.privilege_escalation
 falsepositives:
- - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Lambda Layer being attached may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Lambda Layer being attached from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/aws/aws_cloudtrail_disable_logging.yml

@@ -1,12 +1,15 @@
 title: AWS CloudTrail Important Change
 id: 4db60cc0-36fb-42b7-9b58-a5b53019fb74
-status: experimental
+status: test
 description: Detects disabling, deleting and updating of a Trail
-author: vitaliy0x1
-date: 2020/01/21
-modified: 2021/08/09
 references:
     - https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
+author: vitaliy0x1
+date: 2020/01/21
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
 logsource:
     product: aws
     service: cloudtrail
@@ -21,6 +24,3 @@ detection:
 falsepositives:
     - Valid change in a Trail
 level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001

rules/cloud/aws/aws_config_disable_recording.yml

@@ -1,10 +1,13 @@
 title: AWS Config Disabling Channel/Recorder
 id: 07330162-dba1-4746-8121-a9647d49d297
-status: experimental
+status: test
 description: Detects AWS Config Service disabling
 author: vitaliy0x1
 date: 2020/01/21
-modified: 2021/08/09
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
 logsource:
     product: aws
     service: cloudtrail
@@ -18,6 +21,3 @@ detection:
 falsepositives:
     - Valid change in AWS Config Service
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001

rules/cloud/aws/aws_ec2_download_userdata.yml

@@ -1,12 +1,15 @@
 title: AWS EC2 Download Userdata
 id: 26ff4080-194e-47e7-9889-ef7602efed0c
-status: experimental
+status: test
 description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
-author: faloker
-date: 2020/02/11
-modified: 2021/08/20
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__download_userdata/main.py
+author: faloker
+date: 2020/02/11
+modified: 2022/10/09
+tags:
+    - attack.exfiltration
+    - attack.t1020
 logsource:
     product: aws
     service: cloudtrail
@@ -20,6 +23,3 @@ detection:
 falsepositives:
     - Assets management software like device42
 level: medium
-tags:
-    - attack.exfiltration 
-    - attack.t1020

rules/cloud/aws/aws_ec2_vm_export_failure.yml

@@ -1,30 +1,29 @@
 title: AWS EC2 VM Export Failure
 id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
 status: experimental
-description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.     
+description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
 author: Diogo Braz
 date: 2020/04/16
-modified: 2021/08/20
-references: 
-  - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
+modified: 2022/10/05
+references:
+    - https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
 logsource:
-  product: aws
-  service: cloudtrail
+    product: aws
+    service: cloudtrail
 detection:
-  selection:           
-    eventName: 'CreateInstanceExportTask'
-    eventSource: 'ec2.amazonaws.com'
-  filter1:
-    errorMessage: '*'
-  filter2:
-    errorCode: '*'
-  filter3:
-    responseElements|contains: 'Failure'
-  condition: selection and (filter1 or filter2 or filter3)
+    selection:
+        eventName: 'CreateInstanceExportTask'
+        eventSource: 'ec2.amazonaws.com'
+    filter1:
+        errorMessage|contains: '*'
+    filter2:
+        errorCode|contains: '*'
+    filter3:
+        responseElements|contains: 'Failure'
+    condition: selection and not 1 of filter*
 level: low
 tags:
-- attack.collection    
-- attack.t1005      
-- attack.exfiltration
-- attack.t1537
-
+    - attack.collection
+    - attack.t1005
+    - attack.exfiltration
+    - attack.t1537

rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml

@@ -1,11 +1,14 @@
 title: AWS EFS Fileshare Modified or Deleted
 id: 25cb1ba1-8a19-4a23-a198-d252664c8cef
-status: experimental
+status: test
 description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
-author: Austin Songer @austinsonger
-date: 2021/08/15
 references:
     - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
+author: Austin Songer @austinsonger
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
     product: aws
     service: cloudtrail
@@ -17,5 +20,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.impact

rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml

@@ -1,11 +1,15 @@
 title: AWS EFS Fileshare Mount Modified or Deleted
 id: 6a7ba45c-63d8-473e-9736-2eaabff79964
-status: experimental
+status: test
 description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
-author: Austin Songer @austinsonger
-date: 2021/08/15
 references:
     - https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
+author: Austin Songer @austinsonger
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+    - attack.impact
+    - attack.t1485
 logsource:
     product: aws
     service: cloudtrail
@@ -17,6 +21,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.impact
-    - attack.t1485

rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml

@@ -1,26 +1,27 @@
 title: AWS EKS Cluster Created or Deleted
 id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
+status: test
 description: Identifies when an EKS cluster is created or deleted.
-author: Austin Songer
-status: experimental
-date: 2021/08/16
 references:
     - https://any-api.com/amazonaws_com/eks/docs/API_Description
+author: Austin Songer
+date: 2021/08/16
+modified: 2022/10/09
+tags:
+    - attack.impact
+    - attack.t1485
 logsource:
     product: aws
     service: cloudtrail
 detection:
     selection:
         eventSource: eks.amazonaws.com
-        eventName: 
+        eventName:
             - CreateCluster
             - DeleteCluster
     condition: selection
-level: low
-tags:
-    - attack.impact
-    - attack.t1485
 falsepositives:
- - EKS Cluster being created or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - EKS Cluster being created or deleted may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low

rules/cloud/aws/aws_elasticache_security_group_created.yml

@@ -1,12 +1,16 @@
 title: AWS ElastiCache Security Group Created
-id: 4ae68615-866f-4304-b24b-ba048dfa5ca7 
-description: Detects when an ElastiCache security group has been created. 
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
-modified: 2021/08/19
+id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
+status: test
+description: Detects when an ElastiCache security group has been created.
 references:
     - https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+    - attack.persistence
+    - attack.t1136
+    - attack.t1136.003
 logsource:
     product: aws
     service: cloudtrail
@@ -15,12 +19,8 @@ detection:
         eventSource: elasticache.amazonaws.com
         eventName: 'CreateCacheSecurityGroup'
     condition: selection
-level: low
-tags:
-    - attack.persistence
-    - attack.t1136
-    - attack.t1136.003
 falsepositives:
-- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 
 
+level: low

rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml

@@ -1,30 +1,30 @@
 title: AWS ElastiCache Security Group Modified or Deleted
 id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
+status: test
 description: Identifies when an ElastiCache security group has been modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
-modified: 2021/08/19
 references:
     - https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+    - attack.impact
+    - attack.t1531
 logsource:
     product: aws
     service: cloudtrail
 detection:
     selection:
         eventSource: elasticache.amazonaws.com
-        eventName: 
+        eventName:
             - 'DeleteCacheSecurityGroup'
             - 'AuthorizeCacheSecurityGroupIngress'
             - 'RevokeCacheSecurityGroupIngress'
             - 'AuthorizeCacheSecurityGroupEgress'
             - 'RevokeCacheSecurityGroupEgress'
     condition: selection
-level: low
-tags:
-    - attack.impact
-    - attack.t1531
 falsepositives:
-- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 
 
+level: low

rules/cloud/aws/aws_enum_listing.yml

@@ -1,10 +1,13 @@
 title: Account Enumeration on AWS
-id: e9c14b23-47e2-4a8b-8a63-d36618e33d70 
-status: experimental
-description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.  
+id: e9c14b23-47e2-4a8b-8a63-d36618e33d70
+status: test
+description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
 author: toffeebr33k
 date: 2020/11/21
-modified: 2021/08/09
+modified: 2022/10/09
+tags:
+    - attack.discovery
+    - attack.t1592
 logsource:
     product: aws
     service: cloudtrail
@@ -13,11 +16,8 @@ detection:
         eventName: list*
     timeframe: 10m
     condition: selection_eventname | count() > 50
-fields:
-    - userIdentity.arn
 falsepositives:
     - AWS Config or other configuration scanning activities
 level: low
-tags:
-    - attack.discovery
-    - attack.t1592
+fields:
+    - userIdentity.arn

rules/cloud/aws/aws_guardduty_disruption.yml

@@ -1,12 +1,15 @@
 title: AWS GuardDuty Important Change
 id: 6e61ee20-ce00-4f8d-8aee-bedd8216f7e3
-status: experimental
+status: test
 description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
-author: faloker
-date: 2020/02/11
-modified: 2021/08/09
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/guardduty__whitelist_ip/main.py#L9
+author: faloker
+date: 2020/02/11
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1562.001
 logsource:
     product: aws
     service: cloudtrail
@@ -18,6 +21,3 @@ detection:
 falsepositives:
     - Valid change in the GuardDuty (e.g. to ignore internal scanners)
 level: high
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001

rules/cloud/aws/aws_iam_backdoor_users_keys.yml

@@ -1,12 +1,15 @@
 title: AWS IAM Backdoor Users Keys
 id: 0a5177f4-6ca9-44c2-aacf-d3f3d8b6e4d2
-status: experimental
+status: test
 description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
-author: faloker
-date: 2020/02/12
-modified: 2021/08/20
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/iam__backdoor_users_keys/main.py
+author: faloker
+date: 2020/02/12
+modified: 2022/10/09
+tags:
+    - attack.persistence
+    - attack.t1098
 logsource:
     product: aws
     service: cloudtrail
@@ -17,15 +20,12 @@ detection:
     filter:
         userIdentity.arn|contains: responseElements.accessKey.userName
     condition: selection_source and not filter
+falsepositives:
+    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
+    - AWS API keys legitimate exchange workflows
+level: medium
 fields:
     - userIdentity.arn
     - responseElements.accessKey.userName
     - errorCode
     - errorMessage
-falsepositives:
-    - Adding user keys to their own accounts (the filter cannot cover all possible variants of user naming)
-    - AWS API keys legitimate exchange workflows
-level: medium
-tags:
-    - attack.persistence
-    - attack.t1098

rules/cloud/aws/aws_macic_evasion.yml

@@ -1,11 +1,12 @@
 title: AWS Macie Evasion
 id: 91f6a16c-ef71-437a-99ac-0b070e3ad221
-status: experimental
+status: test
 description: Detects evade to Macie detection.
-author: Sittikorn S
-date: 2021/07/06
 references:
     - https://docs.aws.amazon.com/cli/latest/reference/macie/
+author: Sittikorn S
+date: 2021/07/06
+modified: 2022/10/09
 tags:
     - attack.defense_evasion
     - attack.t1562.001
@@ -28,9 +29,9 @@ detection:
             - 'UpdateClassificationJob'
     timeframe: 10m
     condition: selection | count() by sourceIPAddress > 5
-fields:
-    - sourceIPAddress
-    - userIdentity.arn
 falsepositives:
     - System or Network administrator behaviors
 level: medium
+fields:
+    - sourceIPAddress
+    - userIdentity.arn

rules/cloud/aws/aws_rds_change_master_password.yml

@@ -4,7 +4,7 @@ status: experimental
 description: Detects the change of database master password. It may be a part of data exfiltration.
 author: faloker
 date: 2020/02/12
-modified: 2021/08/20
+modified: 2022/10/05
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
 logsource:
@@ -13,7 +13,7 @@ logsource:
 detection:
     selection_source:
         eventSource: rds.amazonaws.com
-        responseElements.pendingModifiedValues.masterUserPassword: '*'
+        responseElements.pendingModifiedValues.masterUserPassword|contains: '*'
         eventName: ModifyDBInstance
     condition: selection_source
 falsepositives:

rules/cloud/aws/aws_rds_public_db_restore.yml

@@ -1,12 +1,15 @@
 title: Restore Public AWS RDS Instance
 id: c3f265c7-ff03-4056-8ab2-d486227b4599
-status: experimental
+status: test
 description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
-author: faloker
-date: 2020/02/12
-modified: 2021/08/20
 references:
     - https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
+author: faloker
+date: 2020/02/12
+modified: 2022/10/09
+tags:
+    - attack.exfiltration
+    - attack.t1020
 logsource:
     product: aws
     service: cloudtrail
@@ -19,6 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: high
-tags:
-    - attack.exfiltration
-    - attack.t1020

rules/cloud/aws/aws_root_account_usage.yml

@@ -1,24 +1,24 @@
 title: AWS Root Credentials
 id: 8ad1600d-e9dc-4251-b0ee-a65268f29add
-status: experimental
+status: test
 description: Detects AWS root account usage
+references:
+    - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
 author: vitaliy0x1
 date: 2020/01/21
-modified: 2021/08/09
-references:
-  - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
-logsource:
-  product: aws
-  service: cloudtrail
-detection:
-  selection_usertype:
-    userIdentity.type: Root
-  selection_eventtype:
-    eventType: AwsServiceEvent
-  condition: selection_usertype and not selection_eventtype
-falsepositives:
-  - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
-level: medium
+modified: 2022/10/09
 tags:
-  - attack.privilege_escalation
-  - attack.t1078.004
+    - attack.privilege_escalation
+    - attack.t1078.004
+logsource:
+    product: aws
+    service: cloudtrail
+detection:
+    selection_usertype:
+        userIdentity.type: Root
+    selection_eventtype:
+        eventType: AwsServiceEvent
+    condition: selection_usertype and not selection_eventtype
+falsepositives:
+    - AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html
+level: medium

rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml

@@ -1,13 +1,18 @@
 title: AWS Route 53 Domain Transfer Lock Disabled
 id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
+status: test
 description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
-author: Elastic, Austin Songer @austinsonger
-status: experimental
-date: 2021/07/22
 references:
     - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
     - https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
     - https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
+author: Elastic, Austin Songer @austinsonger
+date: 2021/07/22
+modified: 2022/10/09
+tags:
+    - attack.persistence
+    - attack.credential_access
+    - attack.t1098
 logsource:
     product: aws
     service: cloudtrail
@@ -19,7 +24,3 @@ detection:
 falsepositives:
     - A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 level: low
-tags:
-    - attack.persistence
-    - attack.credential_access
-    - attack.t1098

rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml

@@ -1,11 +1,16 @@
 title: AWS Route 53 Domain Transferred to Another Account
 id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
+status: test
 description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
-author: Elastic, Austin Songer @austinsonger
-status: experimental
-date: 2021/07/22
 references:
     - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
+author: Elastic, Austin Songer @austinsonger
+date: 2021/07/22
+modified: 2022/10/09
+tags:
+    - attack.persistence
+    - attack.credential_access
+    - attack.t1098
 logsource:
     product: aws
     service: cloudtrail
@@ -17,7 +22,3 @@ detection:
 falsepositives:
     - A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 level: low
-tags:
-    - attack.persistence
-    - attack.credential_access
-    - attack.t1098

rules/cloud/aws/aws_s3_data_management_tampering.yml

@@ -1,10 +1,7 @@
 title: AWS S3 Data Management Tampering
 id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
+status: test
 description: Detects when a user tampers with S3 data management in Amazon Web Services.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
-modified: 2021/08/19
 references:
     - https://github.com/elastic/detection-rules/pull/1145/files
     - https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
@@ -13,6 +10,12 @@ references:
     - https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
     - https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
     - https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+    - attack.exfiltration
+    - attack.t1537
 logsource:
     product: aws
     service: cloudtrail
@@ -20,17 +23,14 @@ detection:
     selection:
         eventSource: s3.amazonaws.com
         eventName:
-           - PutBucketLogging
-           - PutBucketWebsite
-           - PutEncryptionConfiguration
-           - PutLifecycleConfiguration
-           - PutReplicationConfiguration
-           - ReplicateObject
-           - RestoreObject
+            - PutBucketLogging
+            - PutBucketWebsite
+            - PutEncryptionConfiguration
+            - PutLifecycleConfiguration
+            - PutReplicationConfiguration
+            - ReplicateObject
+            - RestoreObject
     condition: selection
-level: low
-tags:
-    - attack.exfiltration
-    - attack.t1537
 falsepositives:
-- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low

rules/cloud/aws/aws_sts_assumerole_misuse.yml

@@ -1,13 +1,19 @@
 title: AWS STS AssumeRole Misuse
 id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
+status: test
 description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
-modified: 2021/08/20
 references:
     - https://github.com/elastic/detection-rules/pull/1214
     - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+    - attack.lateral_movement
+    - attack.privilege_escalation
+    - attack.t1548
+    - attack.t1550
+    - attack.t1550.001
 logsource:
     product: aws
     service: cloudtrail
@@ -16,14 +22,8 @@ detection:
         userIdentity.type: AssumedRole
         userIdentity.sessionContext.sessionIssuer.type: Role
     condition: selection
-level: low
-tags:
-    - attack.lateral_movement
-    - attack.privilege_escalation
-    - attack.t1548
-    - attack.t1550
-    - attack.t1550.001
 falsepositives:
     - AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
     - AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     - Automated processes that uses Terraform may lead to false positives.
+level: low

rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml

@@ -1,12 +1,19 @@
 title: AWS STS GetSessionToken Misuse
 id: b45ab1d2-712f-4f01-a751-df3826969807
+status: test
 description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/07/24
 references:
     - https://github.com/elastic/detection-rules/pull/1213
     - https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
+author: Austin Songer @austinsonger
+date: 2021/07/24
+modified: 2022/10/09
+tags:
+    - attack.lateral_movement
+    - attack.privilege_escalation
+    - attack.t1548
+    - attack.t1550
+    - attack.t1550.001
 logsource:
     product: aws
     service: cloudtrail
@@ -16,12 +23,6 @@ detection:
         eventName: GetSessionToken
         userIdentity.type: IAMUser
     condition: selection
-level: low
-tags:
-  - attack.lateral_movement
-  - attack.privilege_escalation
-  - attack.t1548
-  - attack.t1550
-  - attack.t1550.001
 falsepositives:
-- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low

rules/cloud/aws/aws_susp_saml_activity.yml

@@ -1,12 +1,21 @@
-title: AWS Suspicious SAML Activity 
+title: AWS Suspicious SAML Activity
 id: f43f5d2f-3f2a-4cc8-b1af-81fde7dbaf0e
+status: test
 description: Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.
-author: Austin Songer
-status: experimental
-date: 2021/09/22
 references:
     - https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html
     - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html
+author: Austin Songer
+date: 2021/09/22
+modified: 2022/10/09
+tags:
+    - attack.initial_access
+    - attack.t1078
+    - attack.lateral_movement
+    - attack.t1548
+    - attack.privilege_escalation
+    - attack.t1550
+    - attack.t1550.001
 logsource:
     product: aws
     service: cloudtrail
@@ -18,16 +27,8 @@ detection:
         eventSource: iam.amazonaws.com
         eventName: UpdateSAMLProvider
     condition: selection1 or selection2
-level: medium
-tags:
-    - attack.initial_access
-    - attack.t1078
-    - attack.lateral_movement
-    - attack.t1548
-    - attack.privilege_escalation
-    - attack.t1550
-    - attack.t1550.001
 falsepositives:
- - Automated processes that uses Terraform may lead to false positives.
- - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Automated processes that uses Terraform may lead to false positives.
+    - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - SAML Provider being updated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/aws/aws_update_login_profile.yml

@@ -1,13 +1,17 @@
 title: AWS User Login Profile Was Modified
-id: 055fb148-60f8-462d-ad16-26926ce050f1 
-status: experimental
-description: | 
- An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
- With this alert, it is used to detect anyone is changing password on behalf of other users.
-author: toffeebr33k
-date: 2021/08/09
+id: 055fb148-60f8-462d-ad16-26926ce050f1
+status: test
+description: |
+    An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
+    With this alert, it is used to detect anyone is changing password on behalf of other users.
 references:
     - https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
+author: toffeebr33k
+date: 2021/08/09
+modified: 2022/10/09
+tags:
+    - attack.persistence
+    - attack.t1098
 logsource:
     product: aws
     service: cloudtrail
@@ -18,14 +22,11 @@ detection:
     filter:
         userIdentity.arn|contains: requestParameters.userName
     condition: selection_source and not filter
+falsepositives:
+    - Legit User Account Administration
+level: high
 fields:
     - userIdentity.arn
     - requestParameters.userName
     - errorCode
     - errorMessage
-falsepositives:
-    - Legit User Account Administration 
-level: high
-tags:
-    - attack.persistence
-    - attack.t1098

rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml

@@ -1,27 +1,28 @@
 title: Azure Active Directory Hybrid Health AD FS New Server
 id: 288a39fc-4914-4831-9ada-270e9dc12cb4
+status: test
 description: |
-  This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
-  A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
-  This can be done programmatically via HTTP requests to Azure.
-status: experimental
-date: 2021/08/26
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
-tags:
-  - attack.defense_evasion
-  - attack.t1578
+    This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
+    A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
+    This can be done programmatically via HTTP requests to Azure.
 references:
-  - https://o365blog.com/post/hybridhealthagent/
+    - https://o365blog.com/post/hybridhealthagent/
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1578
 logsource:
-  product: azure
-  service: azureactivity
+    product: azure
+    service: azureactivity
 detection:
-  selection:
-    CategoryValue: 'Administrative'
-    ResourceProviderValue: 'Microsoft.ADHybridHealthService'
-    ResourceId|contains: 'AdFederationService'
-    OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
-  condition: selection
+    selection:
+        CategoryValue: 'Administrative'
+        ResourceProviderValue: 'Microsoft.ADHybridHealthService'
+        ResourceId|contains: 'AdFederationService'
+        OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
+    condition: selection
 falsepositives:
-  - Legitimate AD FS servers added to an AAD Health AD FS service instance
-level: medium
+    - Legitimate AD FS servers added to an AAD Health AD FS service instance
+level: medium

rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml

@@ -1,27 +1,28 @@
 title: Azure Active Directory Hybrid Health AD FS Service Delete
 id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
+status: test
 description: |
-  This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
-  A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
-  The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
-status: experimental
-date: 2021/08/26
-author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
-tags:
-  - attack.defense_evasion
-  - attack.t1578.003
+    This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
+    A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
+    The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
 references:
-  - https://o365blog.com/post/hybridhealthagent/
+    - https://o365blog.com/post/hybridhealthagent/
+author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
+date: 2021/08/26
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1578.003
 logsource:
-  product: azure
-  service: azureactivity
+    product: azure
+    service: azureactivity
 detection:
-  selection:
-    CategoryValue: 'Administrative'
-    ResourceProviderValue: 'Microsoft.ADHybridHealthService'
-    ResourceId|contains: 'AdFederationService'
-    OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
-  condition: selection
+    selection:
+        CategoryValue: 'Administrative'
+        ResourceProviderValue: 'Microsoft.ADHybridHealthService'
+        ResourceId|contains: 'AdFederationService'
+        OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
+    condition: selection
 falsepositives:
-  - Legitimate AAD Health AD FS service instances being deleted in a tenant
-level: medium
+    - Legitimate AAD Health AD FS service instances being deleted in a tenant
+level: medium

rules/cloud/azure/azure_ad_auth_failure_increase.yml

@@ -17,6 +17,6 @@ detection:
 falsepositives:
      - Unlikely
 tags:
-    - attack.valid_accounts
+    - attack.defense_evasion
     - attack.t1078
-level: medium
+level: medium

rules/cloud/azure/azure_ad_auth_sucess_increase.yml

@@ -18,6 +18,6 @@ detection:
 falsepositives:
      - Increase of users in the environment
 tags:
-    - attack.valid_accounts
+    - attack.defense_evasion
     - attack.t1078
 level: low

rules/cloud/azure/azure_ad_bitlocker_key_retrieval.yml

@@ -18,5 +18,5 @@ falsepositives:
 level: medium
 status: experimental
 tags:
-  - attack.valid_accounts
+  - attack.defense_evasion
   - attack.t1078

rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml

@@ -4,21 +4,21 @@ description: Monitor and alert for device registration or join events where MFA
 author: Michael Epping, '@mepples21'
 date: 2022/06/28
 references:
-  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
+    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
 logsource:
-  product: azure
-  service: signinlogs
+    product: azure
+    service: signinlogs
 detection:
-  selection:
-    ResourceDisplayName: 'Device Registration Service'
-    conditionalAccessStatus: 'success'
-  filter_mfa:
-    AuthenticationRequirement: 'multiFactorAuthentication'
-  condition: selection and not filter_mfa
+    selection:
+        ResourceDisplayName: 'Device Registration Service'
+        conditionalAccessStatus: 'success'
+    filter_mfa:
+        AuthenticationRequirement: 'multiFactorAuthentication'
+    condition: selection and not filter_mfa
 falsepositives:
-  - Unknown
+    - Unknown
 level: medium
 status: experimental
 tags:
-  - attack.valid_accounts
-  - attack.t1078
+    - attack.defense_evasion
+    - attack.t1078

rules/cloud/azure/azure_ad_device_registration_policy_changes.yml

@@ -4,19 +4,20 @@ description: Monitor and alert for changes to the device registration policy.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28
 references:
-  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
+    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
 logsource:
-  product: azure
-  service: auditlogs
+    product: azure
+    service: auditlogs
 detection:
-  selection:
-    Category: 'Policy'
-    ActivityDisplayName: 'Set device registration policies'
-  condition: selection
+    selection:
+        Category: 'Policy'
+        ActivityDisplayName: 'Set device registration policies'
+    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 status: experimental
 tags:
-  - attack.domain_policy_modification
-  - attack.t1484
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1484

rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml

@@ -4,18 +4,18 @@ description: Monitor and alert for sign-ins where the device was non-compliant.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28
 references:
-  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
+    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
 logsource:
-  product: azure
-  service: signinlogs
+    product: azure
+    service: signinlogs
 detection:
-  selection:
-    DeviceDetail.isCompliant: 'false'
-  condition: selection
+    selection:
+        DeviceDetail.isCompliant: 'false'
+    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 status: experimental
 tags:
-  - attack.valid_accounts
-  - attack.t1078
+    - attack.defense_evasion
+    - attack.t1078

rules/cloud/azure/azure_ad_sign_ins_from_unknown_devices.yml

@@ -3,22 +3,23 @@ id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
 description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28
+modified: 2022/10/05
 references:
-  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
+    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in
 logsource:
-  product: azure
-  service: signinlogs
+    product: azure
+    service: signinlogs
 detection:
-  selection:
-    AuthenticationRequirement: singleFactorAuthentication
-    ResultType: '0'
-    NetworkLocationDetails: '[]'
-    DeviceDetail.deviceId: ''
-  condition: selection
+    selection:
+        AuthenticationRequirement: singleFactorAuthentication
+        ResultType: 0
+        NetworkLocationDetails: '[]'
+        DeviceDetail.deviceId: ''
+    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: low
 status: experimental
 tags:
-  - attack.valid_accounts
-  - attack.t1078
+    - attack.defense_evasion
+    - attack.t1078

rules/cloud/azure/azure_ad_user_added_to_admin_role.yml

@@ -1,26 +1,27 @@
 title: User Added to an Administrator's Azure AD Role
 id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
+status: test
 description: User Added to an Administrator's Azure AD Role
-author: Raphaël CALVET, @MetallicHack
-date: 2021/10/04
 references:
     - https://attack.mitre.org/techniques/T1098/003/
     - https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
+author: Raphaël CALVET, @MetallicHack
+date: 2021/10/04
+modified: 2022/10/09
+tags:
+    - attack.persistence
+    - attack.t1098.003
 logsource:
     product: azure
     service: activitylogs
-detection: 
-   selection: 
-       Operation: 'Add member to role.'
-       Workload: 'AzureActiveDirectory'
-       ModifiedProperties{}.NewValue|endswith:
-           - 'Admins'
-           - 'Administrator'
-   condition: selection
+detection:
+    selection:
+        Operation: 'Add member to role.'
+        Workload: 'AzureActiveDirectory'
+        ModifiedProperties{}.NewValue|endswith:
+            - 'Admins'
+            - 'Administrator'
+    condition: selection
 falsepositives:
-    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled. 
+    - PIM (Privileged Identity Management) generates this event each time 'eligible role' is enabled.
 level: medium
-status: experimental
-tags: 
-    - attack.persistence
-    - attack.t1098.003

rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml

@@ -4,24 +4,24 @@ description: Monitor and alert for users added to device admin roles.
 author: Michael Epping, '@mepples21'
 date: 2022/06/28
 references:
-  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
+    - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
 logsource:
-  product: azure
-  service: auditlogs
+    product: azure
+    service: auditlogs
 detection:
-  selection:
-    Category: RoleManagement
-    OperationName|contains|all:
-      - 'Add'
-      - 'member to role'
-    TargetResources|contains:
-      - '7698a772-787b-4ac8-901f-60d6b08affd2'
-      - '62e90394-69f5-4237-9190-012177145e10'
-  condition: selection
+    selection:
+        Category: RoleManagement
+        OperationName|contains|all:
+            - 'Add'
+            - 'member to role'
+        TargetResources|contains:
+            - '7698a772-787b-4ac8-901f-60d6b08affd2'
+            - '62e90394-69f5-4237-9190-012177145e10'
+    condition: selection
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 status: experimental
 tags:
-  - attack.valid_accounts
-  - attack.t1078
+    - attack.defense_evasion
+    - attack.t1078

rules/cloud/azure/azure_app_credential_modification.yml

@@ -1,22 +1,23 @@
 title: Azure Application Credential Modified
 id: cdeef967-f9a1-4375-90ee-6978c5f23974
+status: test
 description: Identifies when a application credential is modified.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/02
 references:
     - https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
+author: Austin Songer @austinsonger
+date: 2021/09/02
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: azure
-  service: activitylogs
+    product: azure
+    service: activitylogs
 detection:
     selection:
         properties.message: 'Update application - Certificates and secrets management'
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Application credential added may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Application credential added may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Application credential added from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/azure/azure_application_deleted.yml

@@ -1,24 +1,25 @@
 title: Azure Application Deleted
 id: 410d2a41-1e6d-452f-85e5-abdd8257a823
+status: test
 description: Identifies when a application is deleted in Azure.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
 logsource:
-  product: azure
-  service: activitylogs
+    product: azure
+    service: activitylogs
 detection:
     selection:
         properties.message:
             - Delete application
             - Hard Delete application
     condition: selection
-level: medium
-tags:
-    - attack.defense_evasion
 falsepositives:
- - Application being deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Application being deleted may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml

@@ -1,22 +1,23 @@
 title: Azure Device No Longer Managed or Compliant
 id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
+status: test
 description: Identifies when a device in azure is no longer managed or compliant
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: azure
-  service: activitylogs
+    product: azure
+    service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Device no longer compliant
             - Device no longer managed
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Administrator may have forgotten to review the device. 
+    - Administrator may have forgotten to review the device.
+level: medium

rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml

@@ -1,26 +1,27 @@
 title: Azure Device or Configuration Modified or Deleted
 id: 46530378-f9db-4af9-a9e5-889c177d3881
+status: test
 description: Identifies when a device or device configuration in azure is modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: azure
-  service: activitylogs
+    product: azure
+    service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Delete device
             - Delete device configuration
             - Update device
             - Update device configuration
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Device or device configuration being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Device or device configuration being modified or deleted may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml

@@ -1,24 +1,25 @@
 title: Azure Owner Removed From Application or Service Principal
 id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
+status: test
 description: Identifies when a owner is was removed from a application or service principal in Azure.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
 logsource:
-  product: azure
-  service: activitylogs
+    product: azure
+    service: activitylogs
 detection:
     selection:
-        properties.message: 
+        properties.message:
             - Remove owner from service principal
             - Remove owner from application
     condition: selection
-level: medium
-tags:
-    - attack.defense_evasion
 falsepositives:
- - Owner being removed may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Owner being removed may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/azure/azure_service_principal_created.yml

@@ -1,22 +1,23 @@
 title: Azure Service Principal Created
 id: 0ddcff6d-d262-40b0-804b-80eb592de8e3
+status: test
 description: Identifies when a service principal is created in Azure.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/02
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+author: Austin Songer @austinsonger
+date: 2021/09/02
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
 logsource:
-  product: azure
-  service: activitylogs
+    product: azure
+    service: activitylogs
 detection:
     selection:
         properties.message: 'Add service principal'
     condition: selection
-level: medium
-tags:
-    - attack.defense_evasion
 falsepositives:
- - Service principal being created may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Service principal being created may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Service principal created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/azure/azure_service_principal_removed.yml

@@ -1,22 +1,23 @@
 title: Azure Service Principal Removed
 id: 448fd1ea-2116-4c62-9cde-a92d120e0f08
+status: test
 description: Identifies when a service principal was removed in Azure.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/03
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+author: Austin Songer @austinsonger
+date: 2021/09/03
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
 logsource:
-  product: azure
-  service: activitylogs
+    product: azure
+    service: activitylogs
 detection:
     selection:
         properties.message: Remove service principal
     condition: selection
-level: medium
-tags:
-    - attack.defense_evasion
 falsepositives:
- - Service principal being removed may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Service principal being removed may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/gcp/gcp_bucket_enumeration.yml

@@ -1,23 +1,24 @@
 title: Google Cloud Storage Buckets Enumeration
 id: e2feb918-4e77-4608-9697-990a1aaf74c3
+status: test
 description: Detects when storage bucket is enumerated in Google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/14
 references:
     - https://cloud.google.com/storage/docs/json_api/v1/buckets
+author: Austin Songer @austinsonger
+date: 2021/08/14
+modified: 2022/10/09
+tags:
+    - attack.discovery
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - storage.buckets.list
             - storage.buckets.listChannels
     condition: selection
-level: low
-tags:
-    - attack.discovery
 falsepositives:
- - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low

rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml

@@ -1,25 +1,26 @@
 title: Google Cloud Storage Buckets Modified or Deleted
 id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
+status: test
 description: Detects when storage bucket is modified or deleted in Google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/14
 references:
     - https://cloud.google.com/storage/docs/json_api/v1/buckets
+author: Austin Songer @austinsonger
+date: 2021/08/14
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - storage.buckets.delete
             - storage.buckets.insert
             - storage.buckets.update
             - storage.buckets.patch
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/gcp/gcp_dlp_re_identifies_sensitive_information.yml

@@ -1,21 +1,22 @@
 title: Google Cloud Re-identifies Sensitive Information
 id: 234f9f48-904b-4736-a34c-55d23919e4b7
+status: test
 description: Identifies when sensitive information is re-identified in google Cloud.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/15
 references:
     - https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
+author: Austin Songer @austinsonger
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+    - attack.impact
+    - attack.t1565
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
         gcp.audit.method_name: projects.content.reidentify
     condition: selection
-level: medium
-tags:
-    - attack.impact
-    - attack.t1565
 falsepositives:
- - Unknown
+    - Unknown
+level: medium

rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml

@@ -1,23 +1,24 @@
 title: Google Cloud DNS Zone Modified or Deleted
 id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3
-description: Identifies when a DNS Zone is modified or deleted in Google Cloud. 
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/15
+status: test
+description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
 references:
     - https://cloud.google.com/dns/docs/reference/v1/managedZones
+author: Austin Songer @austinsonger
+date: 2021/08/15
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - Dns.ManagedZones.Delete
             - Dns.ManagedZones.Update
             - Dns.ManagedZones.Patch
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
+    - Unknown
+level: medium

rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml

@@ -1,27 +1,28 @@
 title: Google Cloud Firewall Modified or Deleted
 id: fe513c69-734c-4d4a-8548-ac5f609be82b
+status: test
 description: Detects  when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/13
 references:
     - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
     - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
+author: Austin Songer @austinsonger
+date: 2021/08/13
+modified: 2022/10/09
+tags:
+    - attack.defense_evasion
+    - attack.t1562
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - v*.Compute.Firewalls.Delete
             - v*.Compute.Firewalls.Patch
             - v*.Compute.Firewalls.Update
             - v*.Compute.Firewalls.Insert
     condition: selection
-level: medium
-tags:
-    - attack.defense_evasion
-    - attack.t1562
 falsepositives:
- - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected. 
- - Exceptions can be added to this rule to filter expected behavior.
+    - Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
+    - Exceptions can be added to this rule to filter expected behavior.
+level: medium

rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml

@@ -1,18 +1,22 @@
 title: Google Full Network Traffic Packet Capture
 id: 980a7598-1e7f-4962-9372-2d754c930d0e
+status: test
 description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/13
 references:
     - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
     - https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
+author: Austin Songer @austinsonger
+date: 2021/08/13
+modified: 2022/10/09
+tags:
+    - attack.collection
+    - attack.t1074
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - v*.Compute.PacketMirrorings.Get
             - v*.Compute.PacketMirrorings.Delete
             - v*.Compute.PacketMirrorings.Insert
@@ -20,10 +24,7 @@ detection:
             - v*.Compute.PacketMirrorings.List
             - v*.Compute.PacketMirrorings.aggregatedList
     condition: selection
-level: medium
-tags:
-    - attack.collection
-    - attack.t1074
 falsepositives:
-  - Full Network Packet Capture may be done by a system or network administrator. 
-  - If known behavior is causing false positives, it can be exempted from the rule.
+    - Full Network Packet Capture may be done by a system or network administrator.
+    - If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/gcp/gcp_kubernetes_rolebinding.yml

@@ -1,21 +1,24 @@
 title: Google Cloud Kubernetes RoleBinding
 id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
+status: test
 description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/09
 references:
     - https://github.com/elastic/detection-rules/pull/1267
     - https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
     - https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
     - https://kubernetes.io/docs/reference/access-authn-authz/rbac/
     - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
+author: Austin Songer @austinsonger
+date: 2021/08/09
+modified: 2022/10/09
+tags:
+    - attack.credential_access
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - io.k8s.authorization.rbac.v*.clusterrolebindings.create
             - io.k8s.authorization.rbac.v*.rolebindings.create
             - io.k8s.authorization.rbac.v*.clusterrolebindings.patch
@@ -25,9 +28,7 @@ detection:
             - io.k8s.authorization.rbac.v*.clusterrolebindings.delete
             - io.k8s.authorization.rbac.v*.rolebindings.delete
     condition: selection
-level: medium
-tags:
-    - attack.credential_access
 falsepositives:
- - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml

@@ -1,25 +1,26 @@
 title: Google Cloud Kubernetes Secrets Modified or Deleted
 id: 2f0bae2d-bf20-4465-be86-1311addebaa3
+status: test
 description: Identifies when the Secrets are Modified or Deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/09
 references:
     - https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
+author: Austin Songer @austinsonger
+date: 2021/08/09
+modified: 2022/10/09
+tags:
+    - attack.credential_access
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - io.k8s.core.v*.secrets.create
             - io.k8s.core.v*.secrets.update
             - io.k8s.core.v*.secrets.patch
-            - io.k8s.core.v*.secrets.delete 
+            - io.k8s.core.v*.secrets.delete
     condition: selection
-level: medium
-tags:
-    - attack.credential_access
 falsepositives:
- - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml

@@ -1,24 +1,25 @@
 title: Google Cloud Service Account Disabled or Deleted
 id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
-description: Identifies when a service account is disabled or deleted in Google Cloud. 
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/14
+status: test
+description: Identifies when a service account is disabled or deleted in Google Cloud.
 references:
     - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
-logsource:
-  product: gcp
-  service: gcp.audit
-detection:
-    selection:
-        gcp.audit.method_name|endswith: 
-            - .serviceAccounts.disable
-            - .serviceAccounts.delete
-    condition: selection
-level: medium
+author: Austin Songer @austinsonger
+date: 2021/08/14
+modified: 2022/10/09
 tags:
     - attack.impact
     - attack.t1531
+logsource:
+    product: gcp
+    service: gcp.audit
+detection:
+    selection:
+        gcp.audit.method_name|endswith:
+            - .serviceAccounts.disable
+            - .serviceAccounts.delete
+    condition: selection
 falsepositives:
- - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/gcp/gcp_service_account_modified.yml

@@ -1,26 +1,27 @@
 title: Google Cloud Service Account Modified
 id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
-description: Identifies when a service account is modified in Google Cloud. 
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/14
+status: test
+description: Identifies when a service account is modified in Google Cloud.
 references:
     - https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
+author: Austin Songer @austinsonger
+date: 2021/08/14
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name|endswith: 
+        gcp.audit.method_name|endswith:
             - .serviceAccounts.patch
             - .serviceAccounts.create
             - .serviceAccounts.update
             - .serviceAccounts.enable
             - .serviceAccounts.undelete
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml

@@ -1,24 +1,25 @@
 title: Google Cloud VPN Tunnel Modified or Deleted
 id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
-description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud. 
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/08/16
+status: test
+description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
 references:
     - https://any-api.com/googleapis_com/compute/docs/vpnTunnels
+author: Austin Songer @austinsonger
+date: 2021/08/16
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: gcp
-  service: gcp.audit
+    product: gcp
+    service: gcp.audit
 detection:
     selection:
-        gcp.audit.method_name: 
+        gcp.audit.method_name:
             - compute.vpnTunnels.insert
             - compute.vpnTunnels.delete
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - VPN Tunnel being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - VPN Tunnel being modified or deleted may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: medium

rules/cloud/gworkspace/gworkspace_application_removed.yml

@@ -1,25 +1,26 @@
 title: Google Workspace Application Removed
 id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
+status: test
 description: Detects when an an application is removed from Google Workspace.
-author: Austin Songer
-status: experimental
-date: 2021/08/26
 references:
     - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
     - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
     - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
+author: Austin Songer
+date: 2021/08/26
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: google_workspace
-  service: google_workspace.admin
+    product: google_workspace
+    service: google_workspace.admin
 detection:
     selection:
         eventService: admin.googleapis.com
-        eventName: 
+        eventName:
             - REMOVE_APPLICATION
             - REMOVE_APPLICATION_FROM_WHITELIST
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Application being removed may be performed by a System Administrator.
+    - Application being removed may be performed by a System Administrator.
+level: medium

rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml

@@ -1,24 +1,25 @@
 title: Google Workspace Granted Domain API Access
 id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
+status: test
 description: Detects when an API access service account is granted domain authority.
-author: Austin Songer
-status: experimental
-date: 2021/08/23
 references:
     - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
     - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
+author: Austin Songer
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+    - attack.persistence
+    - attack.t1098
 logsource:
-  product: google_workspace
-  service: google_workspace.admin
+    product: google_workspace
+    service: google_workspace.admin
 detection:
     selection:
         eventService: admin.googleapis.com
         eventName: AUTHORIZE_API_CLIENT_ACCESS
     condition: selection
-level: medium
-tags:
-    - attack.persistence
-    - attack.t1098
 falsepositives:
- - Unknown
- 
+    - Unknown
+
+level: medium

rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml

@@ -1,26 +1,27 @@
 title: Google Workspace Role Modified or Deleted
 id: 6aef64e3-60c6-4782-8db3-8448759c714e
+status: test
 description: Detects when an a role is modified or deleted in Google Workspace.
-author: Austin Songer
-status: experimental
-date: 2021/08/24
 references:
     - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
     - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
+author: Austin Songer
+date: 2021/08/24
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: google_workspace
-  service: google_workspace.admin
+    product: google_workspace
+    service: google_workspace.admin
 detection:
     selection:
         eventService: admin.googleapis.com
-        eventName: 
+        eventName:
             - DELETE_ROLE
             - RENAME_ROLE
             - UPDATE_ROLE
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
- 
+    - Unknown
+
+level: medium

rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml

@@ -1,23 +1,24 @@
 title: Google Workspace Role Privilege Deleted
 id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
+status: test
 description: Detects when an a role privilege is deleted in Google Workspace.
-author: Austin Songer
-status: experimental
-date: 2021/08/24
 references:
     - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
     - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
+author: Austin Songer
+date: 2021/08/24
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: google_workspace
-  service: google_workspace.admin
+    product: google_workspace
+    service: google_workspace.admin
 detection:
     selection:
         eventService: admin.googleapis.com
         eventName: REMOVE_PRIVILEGE
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
- 
+    - Unknown
+
+level: medium

rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml

@@ -1,25 +1,26 @@
 title: Google Workspace User Granted Admin Privileges
 id: 2d1b83e4-17c6-4896-a37b-29140b40a788
-description: Detects when an Google Workspace user is granted admin privileges. 
-author: Austin Songer
-status: experimental
-date: 2021/08/23
+status: test
+description: Detects when an Google Workspace user is granted admin privileges.
 references:
     - https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
     - https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
-logsource:
-  product: google_workspace
-  service: google_workspace.admin
-detection:
-    selection:
-        eventService: admin.googleapis.com
-        eventName: 
-            - GRANT_DELEGATED_ADMIN_PRIVILEGES
-            - GRANT_ADMIN_PRIVILEGE
-    condition: selection
-level: medium
+author: Austin Songer
+date: 2021/08/23
+modified: 2022/10/09
 tags:
     - attack.persistence
     - attack.t1098
+logsource:
+    product: google_workspace
+    service: google_workspace.admin
+detection:
+    selection:
+        eventService: admin.googleapis.com
+        eventName:
+            - GRANT_DELEGATED_ADMIN_PRIVILEGES
+            - GRANT_ADMIN_PRIVILEGE
+    condition: selection
 falsepositives:
- - Google Workspace admin role privileges, may be modified by system administrators.
+    - Google Workspace admin role privileges, may be modified by system administrators.
+level: medium

rules/cloud/m365/microsoft365_activity_by_terminated_user.yml

@@ -1,12 +1,15 @@
 title: Activity Performed by Terminated User
 id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
-author: Austin Songer @austinsonger
-date: 2021/08/23
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
     service: threat_management
     product: m365
@@ -19,5 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.impact

rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml

@@ -1,12 +1,16 @@
 title: Activity from Anonymous IP Addresses
 id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
-author: Austin Songer @austinsonger
-date: 2021/08/23
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+    - attack.command_and_control
+    - attack.t1573
 logsource:
     service: threat_management
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - User using a VPN or Proxy
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1573

rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml

@@ -1,12 +1,16 @@
 title: Activity from Infrequent Country
 id: 0f2468a2-5055-4212-a368-7321198ee706
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
-author: Austin Songer @austinsonger
-date: 2021/08/23
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+    - attack.command_and_control
+    - attack.t1573
 logsource:
     service: threat_management
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1573

rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml

@@ -1,12 +1,16 @@
 title: Data Exfiltration to Unsanctioned Apps
 id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
-author: Austin Songer @austinsonger
-date: 2021/08/23
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+    - attack.exfiltration
+    - attack.t1537
 logsource:
     service: threat_management
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.exfiltration
-    - attack.t1537

rules/cloud/m365/microsoft365_from_susp_ip_addresses.yml

@@ -1,12 +1,16 @@
 title: Activity from Suspicious IP Addresses
 id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
-status: experimental
-description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account. 
-author: Austin Songer @austinsonger
-date: 2021/08/23
+status: test
+description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+    - attack.command_and_control
+    - attack.t1573
 logsource:
     service: threat_detection
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.command_and_control
-    - attack.t1573

rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml

@@ -1,12 +1,16 @@
 title: Logon from a Risky IP Address
 id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
-author: Austin Songer @austinsonger
-date: 2021/08/23
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+    - attack.initial_access
+    - attack.t1078
 logsource:
     service: threat_management
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.initial_access
-    - attack.t1078

rules/cloud/m365/microsoft365_potential_ransomware_activity.yml

@@ -1,12 +1,16 @@
 title: Microsoft 365 - Potential Ransomware Activity
 id: bd132164-884a-48f1-aa2d-c6d646b04c69
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
-author: austinsonger
-date: 2021/08/19
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: austinsonger
+date: 2021/08/19
+modified: 2022/10/09
+tags:
+    - attack.impact
+    - attack.t1486
 logsource:
     service: threat_management
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.impact
-    - attack.t1486

rules/cloud/m365/microsoft365_susp_inbox_forwarding.yml

@@ -1,12 +1,16 @@
 title: Suspicious Inbox Forwarding
 id: 6c220477-0b5b-4b25-bb90-66183b4089e8
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
-author: Austin Songer @austinsonger
-date: 2021/08/22
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/22
+modified: 2022/10/09
+tags:
+    - attack.exfiltration
+    - attack.t1020
 logsource:
     service: threat_management
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: low
-tags:
-    - attack.exfiltration
-    - attack.t1020

rules/cloud/m365/microsoft365_susp_oauth_app_file_download_activities.yml

@@ -1,12 +1,15 @@
 title: Suspicious OAuth App File Download Activities
 id: ee111937-1fe7-40f0-962a-0eb44d57d174
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
-author: Austin Songer @austinsonger
-date: 2021/08/23
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: Austin Songer @austinsonger
+date: 2021/08/23
+modified: 2022/10/09
+tags:
+    - attack.exfiltration
 logsource:
     service: threat_management
     product: m365
@@ -19,5 +22,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.exfiltration

rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml

@@ -1,12 +1,16 @@
 title: Microsoft 365 - Unusual Volume of File Deletion
 id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
-status: experimental
+status: test
 description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
-author: austinsonger
-date: 2021/08/19
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: austinsonger
+date: 2021/08/19
+modified: 2022/10/09
+tags:
+    - attack.impact
+    - attack.t1485
 logsource:
     service: threat_management
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.impact
-    - attack.t1485

rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml

@@ -1,12 +1,16 @@
 title: Microsoft 365 - User Restricted from Sending Email
 id: ff246f56-7f24-402a-baca-b86540e3925c
-status: experimental
+status: test
 description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
-author: austinsonger
-date: 2021/08/19
 references:
     - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
     - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
+author: austinsonger
+date: 2021/08/19
+modified: 2022/10/09
+tags:
+    - attack.initial_access
+    - attack.t1199
 logsource:
     service: threat_management
     product: m365
@@ -19,6 +23,3 @@ detection:
 falsepositives:
     - Unknown
 level: medium
-tags:
-    - attack.initial_access
-    - attack.t1199

rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml

@@ -1,25 +1,25 @@
 title: Okta Admin Role Assigned to an User or Group
 id: 413d4a81-6c98-4479-9863-014785fd579c
+status: test
 description: Detects when an the Administrator role is assigned to an user or group.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - group.privilege.grant
             - user.account.privilege.grant
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Administrator roles could be assigned to users or group by other admin users. 
- 
+    - Administrator roles could be assigned to users or group by other admin users.
+
+level: medium

rules/cloud/okta/okta_api_token_created.yml

@@ -1,23 +1,23 @@
 title: Okta API Token Created
 id: 19951c21-229d-4ccb-8774-b993c3ff3c5c
+status: test
 description: Detects when a API token is created
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.persistence
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
         eventtype: system.api_token.create
     condition: selection
-level: medium
-tags:
-    - attack.persistence
 falsepositives:
- - Unknown
+    - Unknown
 
+level: medium

rules/cloud/okta/okta_api_token_revoked.yml

@@ -1,23 +1,23 @@
 title: Okta API Token Revoked
 id: cf1dbc6b-6205-41b4-9b88-a83980d2255b
+status: test
 description: Detects when a API Token is revoked.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
         eventtype: system.api_token.revoke
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
- 
+    - Unknown
+
+level: medium

rules/cloud/okta/okta_application_modified_or_deleted.yml

@@ -1,25 +1,25 @@
 title: Okta Application Modified or Deleted
 id: 7899144b-e416-4c28-b0b5-ab8f9e0a541d
+status: test
 description: Detects when an application is modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - application.lifecycle.update
             - application.lifecycle.delete
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
- 
+    - Unknown
+
+level: medium

rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml

@@ -1,24 +1,24 @@
 title: Okta Application Sign-On Policy Modified or Deleted
 id: 8f668cc4-c18e-45fe-ad00-624a981cf88a
+status: test
 description: Detects when an application Sign-on Policy is modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - application.policy.sign_on.update
             - application.policy.sign_on.rule.delete
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
+    - Unknown
+level: medium

rules/cloud/okta/okta_mfa_reset_or_deactivated.yml

@@ -1,24 +1,24 @@
 title: Okta MFA Reset or Deactivated
 id: 50e068d7-1e6b-4054-87e5-0a592c40c7e0
+status: test
 description: Detects when an attempt at deactivating  or resetting MFA.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/21
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/21
+modified: 2022/10/09
+tags:
+    - attack.persistence
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - user.mfa.factor.deactivate
             - user.mfa.factor.reset_all
     condition: selection
-level: medium
-tags:
-    - attack.persistence
 falsepositives:
- - If a MFA reset or deactivated was performed by a system administrator. 
+    - If a MFA reset or deactivated was performed by a system administrator.
+level: medium

rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml

@@ -1,25 +1,25 @@
 title: Okta Network Zone Deactivated or Deleted
 id: 9f308120-69ed-4506-abde-ac6da81f4310
+status: test
 description: Detects when an Network Zone is Deactivated or Deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - zone.deactivate
             - zone.delete
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
- 
+    - Unknown
+
+level: medium

rules/cloud/okta/okta_policy_modified_or_deleted.yml

@@ -1,26 +1,26 @@
 title: Okta Policy Modified or Deleted
 id: 1667a172-ed4c-463c-9969-efd92195319a
+status: test
 description: Detects when an Okta policy is modified or deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - policy.lifecycle.update
             - policy.lifecycle.delete
     condition: selection
-level: low
-tags:
-    - attack.impact
 falsepositives:
- - Okta Policies being modified or deleted may be performed by a system administrator. 
- - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
- - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    - Okta Policies being modified or deleted may be performed by a system administrator.
+    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
+    - Okta Policies modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+level: low

rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml

@@ -1,25 +1,25 @@
 title: Okta Policy Rule Modified or Deleted
 id: 0c97c1d3-4057-45c9-b148-1de94b631931
+status: test
 description: Detects when an Policy Rule is Modified or Deleted.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
-        eventtype: 
+        eventtype:
             - policy.rule.update
             - policy.rule.delete
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
- 
+    - Unknown
+
+level: medium

rules/cloud/okta/okta_security_threat_detected.yml

@@ -1,21 +1,21 @@
 title: Okta Security Threat Detected
 id: 5c82f0b9-3c6d-477f-a318-0e14a1df73e0
+status: test
 description: Detects when an security threat is detected in Okta.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
         eventtype: security.threat.detected
     condition: selection
-level: medium
 falsepositives:
- - Unknown
+    - Unknown
+level: medium

rules/cloud/okta/okta_unauthorized_access_to_app.yml

@@ -1,22 +1,22 @@
 title: Okta Unauthorized Access to App
 id: 6cc2b61b-d97e-42ef-a9dd-8aa8dc951657
+status: test
 description: Detects when unauthorized access to app occurs.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
         displaymessage: User attempted unauthorized access to app
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - User might of believe that they had access.
+    - User might of believe that they had access.
+level: medium

rules/cloud/okta/okta_user_account_locked_out.yml

@@ -1,22 +1,22 @@
 title: Okta User Account Locked Out
 id: 14701da0-4b0f-4ee6-9c95-2ffb4e73bb9a
+status: test
 description: Detects when an user account is locked out.
-author: Austin Songer @austinsonger
-status: experimental
-date: 2021/09/12
-modified: 2021/09/22
 references:
     - https://developer.okta.com/docs/reference/api/system-log/
     - https://developer.okta.com/docs/reference/api/event-types/
+author: Austin Songer @austinsonger
+date: 2021/09/12
+modified: 2022/10/09
+tags:
+    - attack.impact
 logsource:
-  product: okta
-  service: okta
+    product: okta
+    service: okta
 detection:
     selection:
         displaymessage: Max sign in attempts exceeded
     condition: selection
-level: medium
-tags:
-    - attack.impact
 falsepositives:
- - Unknown
+    - Unknown
+level: medium

rules/compliance/host_without_firewall.yml

@@ -4,7 +4,7 @@ status: stable
 description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
 author: Alexandr Yampolskyi, SOC Prime
 date: 2019/03/19
-modified: 2021/05/30
+modified: 2022/10/05
 references:
     - https://www.cisecurity.org/controls/cis-controls-list/
     - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
@@ -13,8 +13,8 @@ logsource:
     product: qualys
 detection:
     selection:
-        event.category: Security Policy
-        host.scan.vuln_name: Firewall Product Not Detected*
+        event.category: 'Security Policy'
+        host.scan.vuln_name|contains: 'Firewall Product Not Detected'
     condition: selection
 level: low
 # tags:

rules/linux/auditd/lnx_auditd_audio_capture.yml

@@ -1,27 +1,27 @@
 title: Audio Capture
 id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
+status: test
 description: Detects attempts to record audio with arecord utility
-    #the actual binary that arecord is using and that has to be monitored is /usr/bin/aplay 
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/04
 references:
-   - https://linux.die.net/man/1/arecord
-   - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
-   - https://attack.mitre.org/techniques/T1123/
-logsource:
-   product: linux
-   service: auditd
-detection:
-   selection:
-       type: EXECVE
-       a0: arecord
-       a1: '-vv'
-       a2: '-fdat'
-   condition: selection
+    - https://linux.die.net/man/1/arecord
+    - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
+    - https://attack.mitre.org/techniques/T1123/
+author: 'Pawel Mazur'
+date: 2021/09/04
+modified: 2022/10/09
 tags:
-   - attack.collection
-   - attack.t1123
+    - attack.collection
+    - attack.t1123
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: EXECVE
+        a0: arecord
+        a1: '-vv'
+        a2: '-fdat'
+    condition: selection
 falsepositives:
-   - Unknown
+    - Unknown
 level: low

rules/linux/auditd/lnx_auditd_clipboard_collection.yml

@@ -1,31 +1,32 @@
 title: Clipboard Collection with Xclip Tool
 id: 214e7e6c-f21b-47ff-bb6f-551b2d143fcf
+status: test
 description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/24
 references:
-   - https://attack.mitre.org/techniques/T1115/
-   - https://linux.die.net/man/1/xclip
-   - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+    - https://attack.mitre.org/techniques/T1115/
+    - https://linux.die.net/man/1/xclip
+    - https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/
+author: 'Pawel Mazur'
+date: 2021/09/24
+modified: 2022/10/09
+tags:
+    - attack.collection
+    - attack.t1115
 logsource:
-   product: linux
-   service: auditd
+    product: linux
+    service: auditd
 detection:
     selection:
         type: EXECVE
         a0: xclip
-        a1: 
+        a1:
             - '-selection'
             - '-sel'
-        a2: 
+        a2:
             - clipboard
             - clip
         a3: '-o'
     condition: selection
-tags:
-   - attack.collection
-   - attack.t1115
 falsepositives:
-   - Legitimate usage of xclip tools
+    - Legitimate usage of xclip tools
 level: low

rules/linux/auditd/lnx_auditd_clipboard_image_collection.yml

@@ -1,32 +1,33 @@
 title: Clipboard Collection of Image Data with Xclip Tool
 id: f200dc3f-b219-425d-a17e-c38467364816
+status: test
 description: Detects attempts to collect image data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations.
+references:
+    - https://attack.mitre.org/techniques/T1115/
+    - https://linux.die.net/man/1/xclip
 author: 'Pawel Mazur'
-status: experimental
 date: 2021/10/01
-references: 
-   - https://attack.mitre.org/techniques/T1115/
-   - https://linux.die.net/man/1/xclip
-logsource: 
-   product: linux
-   service: auditd
-detection:
-   selection:
-       type: EXECVE
-       a0: xclip
-       a1:
-         - '-selection'
-         - '-sel'
-       a2: 
-         - clipboard
-         - clip
-       a3: '-t'
-       a4|startswith: 'image/'
-       a5: '-o'
-   condition: selection
+modified: 2022/10/09
 tags:
-   - attack.collection
-   - attack.t1115
+    - attack.collection
+    - attack.t1115
+logsource:
+    product: linux
+    service: auditd
+detection:
+    selection:
+        type: EXECVE
+        a0: xclip
+        a1:
+            - '-selection'
+            - '-sel'
+        a2:
+            - clipboard
+            - clip
+        a3: '-t'
+        a4|startswith: 'image/'
+        a5: '-o'
+    condition: selection
 falsepositives:
-   - Legitimate usage of xclip tools
-level: low 
+    - Legitimate usage of xclip tools
+level: low

rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml

@@ -1,14 +1,12 @@
 title: CVE-2021-3156 Exploitation Attempt
 id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
-status: experimental
-description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. |
-             Alternative approach might be to look for flooding of auditd logs due to bruteforcing |
-             required to trigger the heap-based buffer overflow.
-author: Bhabesh Raj
-date: 2021/02/01
-modified: 2021/09/14
+status: test
+description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | Alternative approach might be to look for flooding of auditd logs due to bruteforcing | required to trigger the heap-based buffer overflow.
 references:
     - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
+author: Bhabesh Raj
+date: 2021/02/01
+modified: 2022/10/09
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -39,4 +37,4 @@ detection:
     condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50
 falsepositives:
     - Unknown
-level: high
+level: high

rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow_brutforce.yml

@@ -3,15 +3,13 @@ id: b9748c98-9ea7-4fdb-80b6-29bed6ba71d2
 related:
     - id: 5ee37487-4eb8-4ac2-9be1-d7d14cdc559f
       type: derived
-status: experimental
-description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. |
-             Alternative approach might be to look for flooding of auditd logs due to bruteforcing |
-             required to trigger the heap-based buffer overflow.
-author: Bhabesh Raj
-date: 2021/02/01
-modified: 2021/09/14
+status: test
+description: Detects exploitation attempt of vulnerability described in CVE-2021-3156. | Alternative approach might be to look for flooding of auditd logs due to bruteforcing | required to trigger the heap-based buffer overflow.
 references:
     - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit
+author: Bhabesh Raj
+date: 2021/02/01
+modified: 2022/10/09
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -26,4 +24,4 @@ detection:
     condition: selection | count() by host > 50
 falsepositives:
     - Unknown
-level: high
+level: high

rules/linux/auditd/lnx_auditd_hidden_files_directories.yml

@@ -1,33 +1,34 @@
 title: Hidden Files and Directories
 id: d08722cd-3d09-449a-80b4-83ea2d9d4616
+status: test
 description: Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/06
 references:
-   - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
-   - https://attack.mitre.org/techniques/T1564/001/
-logsource:
-   product: linux
-   service: auditd
-detection:
-   commands:
-       type: EXECVE
-       a0:
-           - mkdir
-           - touch
-           - vim
-           - nano
-           - vi
-   arguments:
-       - a1|contains: '/.'
-       - a1|startswith: '.'
-       - a2|contains: '/.'
-       - a2|startswith: '.'
-   condition: commands and arguments
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md
+    - https://attack.mitre.org/techniques/T1564/001/
+author: 'Pawel Mazur'
+date: 2021/09/06
+modified: 2022/10/09
 tags:
-   - attack.defense_evasion
-   - attack.t1564.001
+    - attack.defense_evasion
+    - attack.t1564.001
+logsource:
+    product: linux
+    service: auditd
+detection:
+    commands:
+        type: EXECVE
+        a0:
+            - mkdir
+            - touch
+            - vim
+            - nano
+            - vi
+    arguments:
+        - a1|contains: '/.'
+        - a1|startswith: '.'
+        - a2|contains: '/.'
+        - a2|startswith: '.'
+    condition: commands and arguments
 falsepositives:
-   - Unknown
+    - Unknown
 level: low

rules/linux/auditd/lnx_auditd_hidden_zip_files_steganography.yml

@@ -1,29 +1,30 @@
 title: Steganography Hide Zip Information in Picture File
 id: 45810b50-7edc-42ca-813b-bdac02fb946b
+status: test
 description: Detects appending of zip file to image
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/09
 references:
-   - https://attack.mitre.org/techniques/T1027/003/
-   - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
+    - https://attack.mitre.org/techniques/T1027/003/
+    - https://zerotoroot.me/steganography-hiding-a-zip-in-a-jpeg-file/
+author: 'Pawel Mazur'
+date: 2021/09/09
+modified: 2022/10/09
 tags:
-   - attack.defense_evasion
-   - attack.t1027.003
-falsepositives:
-   - Unknown
-level: low
+    - attack.defense_evasion
+    - attack.t1027.003
 logsource:
-   product: linux
-   service: auditd
+    product: linux
+    service: auditd
 detection:
-   commands:
-       type: EXECVE
-       a0: cat
-   a1:
-       a1|endswith:
-          - '.jpg'
-          - '.png'
-   a2:
-       a2|endswith: '.zip'
-   condition: commands and a1 and a2
+    commands:
+        type: EXECVE
+        a0: cat
+    a1:
+        a1|endswith:
+            - '.jpg'
+            - '.png'
+    a2:
+        a2|endswith: '.zip'
+    condition: commands and a1 and a2
+falsepositives:
+    - Unknown
+level: low

rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml

@@ -1,17 +1,20 @@
 title: Linux Keylogging with Pam.d
 id: 49aae26c-450e-448b-911d-b3c13d178dfc
+status: test
 description: Detect attempt to enable auditing of TTY input
-    # -w /etc/pam.d/ -p wa -k pam - This rule will help you detect changes to the pam.d files - https://github.com/Neo23x0/auditd/blob/master/audit.rules
-    # The TTY events detection assumes that you do not expect them in your environment or add filtering on those users that you configured it for
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/05/24
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md
     - https://attack.mitre.org/techniques/T1003/
     - https://linux.die.net/man/8/pam_tty_audit
     - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing
     - https://access.redhat.com/articles/4409591#audit-record-types-2
+author: 'Pawel Mazur'
+date: 2021/05/24
+modified: 2022/10/09
+tags:
+    - attack.credential_access
+    - attack.t1003
+    - attack.t1056.001
 logsource:
     product: linux
     service: auditd
@@ -26,10 +29,6 @@ detection:
             - 'TTY'
             - 'USER_TTY'
     condition: path_events or tty_events
-tags:
-    - attack.credential_access
-    - attack.t1003
-    - attack.t1056.001
 falsepositives:
     - Administrative work
 level: high

rules/linux/auditd/lnx_auditd_network_service_scanning.yml

@@ -3,30 +3,30 @@ id: 3761e026-f259-44e6-8826-719ed8079408
 related:
     - id: 3e102cd9-a70d-4a7a-9508-403963092f31
       type: derived
-status: experimental
+status: test
 description: Detects enumeration of local or remote network services.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
 author: Alejandro Ortuno, oscd.community
 date: 2020/10/21
-modified: 2021/09/14
-references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
+modified: 2022/10/09
 tags:
-  - attack.discovery
-  - attack.t1046
+    - attack.discovery
+    - attack.t1046
 logsource:
-  product: linux
-  service: auditd
-  definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
+    product: linux
+    service: auditd
+    definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/e181243a7c708e9d579557d6f80e0ed3d3483b89/audit.rules#L182-L183'
 detection:
-  selection:
-    type: 'SYSCALL'
-    exe|endswith:
-      - '/telnet'
-      - '/nmap'
-      - '/netcat'
-      - '/nc'
-    key: 'network_connect_4'
-  condition: selection
+    selection:
+        type: 'SYSCALL'
+        exe|endswith:
+            - '/telnet'
+            - '/nmap'
+            - '/netcat'
+            - '/nc'
+        key: 'network_connect_4'
+    condition: selection
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: low

rules/linux/auditd/lnx_auditd_omigod_scx_runasprovider_executeshellcommand.yml

@@ -3,7 +3,7 @@ id: 045b5f9c-49f7-4419-a236-9854fb3c827a
 description: Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
 status: experimental
 date: 2021/09/17
-modified: 2021/11/11
+modified: 2022/10/05
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.privilege_escalation
@@ -22,7 +22,7 @@ detection:
     selection:
         type: 'SYSCALL'
         syscall: 'execve'
-        uid: '0'
+        uid: 0
         cwd: '/var/opt/microsoft/scx/tmp'
         comm: 'sh'
     condition: selection

rules/linux/auditd/lnx_auditd_screencapture_import.yml

@@ -1,37 +1,38 @@
 title: Screen Capture with Import Tool
 id: dbe4b9c5-c254-4258-9688-d6af0b7967fd
+status: test
 description: Detects adversary creating screen capture of a desktop with Import Tool. Highly recommended using rule on servers, due to high usage of screenshot utilities on user workstations. ImageMagick must be installed.
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/21
 references:
-   - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
-   - https://attack.mitre.org/techniques/T1113/
-   - https://linux.die.net/man/1/import
-   - https://imagemagick.org/
-logsource:
-   product: linux
-   service: auditd
-detection:
-   import:
-       type: EXECVE
-       a0: import
-   import_window_root:
-       a1: '-window'
-       a2: 'root'
-       a3|endswith:
-         - '.png'
-         - '.jpg'
-         - '.jpeg'
-   import_no_window_root:
-       a1|endswith:
-         - '.png'
-         - '.jpg'
-         - '.jpeg'
-   condition: import and (import_window_root or import_no_window_root)
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
+    - https://attack.mitre.org/techniques/T1113/
+    - https://linux.die.net/man/1/import
+    - https://imagemagick.org/
+author: 'Pawel Mazur'
+date: 2021/09/21
+modified: 2022/10/09
 tags:
-   - attack.collection
-   - attack.t1113
+    - attack.collection
+    - attack.t1113
+logsource:
+    product: linux
+    service: auditd
+detection:
+    import:
+        type: EXECVE
+        a0: import
+    import_window_root:
+        a1: '-window'
+        a2: 'root'
+        a3|endswith:
+            - '.png'
+            - '.jpg'
+            - '.jpeg'
+    import_no_window_root:
+        a1|endswith:
+            - '.png'
+            - '.jpg'
+            - '.jpeg'
+    condition: import and (import_window_root or import_no_window_root)
 falsepositives:
-   - Legitimate use of screenshot utility
-level: low
+    - Legitimate use of screenshot utility
+level: low

rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml

@@ -1,31 +1,32 @@
 title: Screen Capture with Xwd
 id: e2f17c5d-b02a-442b-9052-6eb89c9fec9c
+status: test
 description: Detects adversary creating screen capture of a full with xwd. Highly recommended using rule on servers, due high usage of screenshot utilities on user workstations
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/13
 references:
-   - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
-   - https://attack.mitre.org/techniques/T1113/
-   - https://linux.die.net/man/1/xwd
-logsource:
-   product: linux
-   service: auditd
-detection:
-   xwd:
-       type: EXECVE
-       a0: xwd
-   xwd_root_window:
-       a1: '-root'
-       a2: '-out'
-       a3|endswith: '.xwd'
-   xwd_no_root_window:
-       a1: '-out'
-       a2|endswith: '.xwd'
-   condition: xwd and (xwd_root_window or xwd_no_root_window)
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-3---x-windows-capture
+    - https://attack.mitre.org/techniques/T1113/
+    - https://linux.die.net/man/1/xwd
+author: 'Pawel Mazur'
+date: 2021/09/13
+modified: 2022/10/09
 tags:
-   - attack.collection
-   - attack.t1113
+    - attack.collection
+    - attack.t1113
+logsource:
+    product: linux
+    service: auditd
+detection:
+    xwd:
+        type: EXECVE
+        a0: xwd
+    xwd_root_window:
+        a1: '-root'
+        a2: '-out'
+        a3|endswith: '.xwd'
+    xwd_no_root_window:
+        a1: '-out'
+        a2|endswith: '.xwd'
+    condition: xwd and (xwd_root_window or xwd_no_root_window)
 falsepositives:
-   - Legitimate use of screenshot utility
+    - Legitimate use of screenshot utility
 level: low

rules/linux/auditd/lnx_auditd_steghide_embed_steganography.yml

@@ -1,30 +1,31 @@
 title: Steganography Hide Files with Steghide
 id: ce446a9e-30b9-4483-8e38-d2c9ad0a2280
+status: test
 description: Detects embeding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.
-author: 'Pawel Mazur'
-status: experimental
-date: 2021/09/11
 references:
-   - https://attack.mitre.org/techniques/T1027/003/
-   - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+    - https://attack.mitre.org/techniques/T1027/003/
+    - https://vitux.com/how-to-hide-confidential-files-in-images-on-debian-using-steganography/
+author: 'Pawel Mazur'
+date: 2021/09/11
+modified: 2022/10/09
 tags:
-   - attack.defense_evasion
-   - attack.t1027.003
-falsepositives:
-   - Unknown
-level: low
+    - attack.defense_evasion
+    - attack.t1027.003
 logsource:
-   product: linux
-   service: auditd
+    product: linux
+    service: auditd
 detection:
-   selection:
-       type: EXECVE
-       a0: steghide
-       a1: embed
-       a2:
-         - '-cf'
-         - '-ef'
-       a4:
-         - '-cf'
-         - '-ef'
-   condition: selection
+    selection:
+        type: EXECVE
+        a0: steghide
+        a1: embed
+        a2:
+            - '-cf'
+            - '-ef'
+        a4:
+            - '-cf'
+            - '-ef'
+    condition: selection
+falsepositives:
+    - Unknown
+level: low