security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Update Tags for Cloud Rules (#99)

Browse Source 
* [Rule Tuning] Update Tags for Cloud Rules

* commenting out specifying alphabetical tag order in rule formatter

* Update rule_formatter.py

* py lint

* Lint fix comments

* update modified dates

* Update credential_access_secretsmanager_getsecretvalue.toml

* adding Continuous Monitoring tag

* update tags

* fixed and in tags

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-08-03 17:15:15 -04:00
committed by GitHub
parent 7efe33e01d
commit 01b1e8be26
50 changed files with 105 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/rule_formatter.py
+5 -4
View File
@@ -142,10 +142,11 @@ def toml_write(rule_contents, outfile=None):
# but will at least purge extraneous white space
query = contents['rule'].pop('query', '').strip()
tags = contents['rule'].get("tags", [])
if tags and isinstance(tags, list):
contents['rule']["tags"] = list(sorted(set(tags)))
# - As tags are expanding, we may want to reconsider the need to have them in alphabetical order
# tags = contents['rule'].get("tags", [])
#
# if tags and isinstance(tags, list):
# contents['rule']["tags"] = list(sorted(set(tags)))
top = OrderedDict()
bottom = OrderedDict()
rules/aws/collection_cloudtrail_logging_created.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/10"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 21
rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/credential_access_aws_iam_assume_role_brute_force.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/16"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/16"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ references = [
risk_score = 47
rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "threshold"
query = '''
rules/aws/credential_access_iam_user_addition_to_group.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/04"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo
risk_score = 21
rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/credential_access_secretsmanager_getsecretvalue.toml
+4 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/06"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/06"
updated_date = "2020/07/28"
[rule]
author = ["Nick Jones", "Elastic"]
@@ -27,10 +27,10 @@ references = [
"https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html",
"http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/",
]
risk_score = 21
risk_score = 73
rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
severity = "low"
tags = ["AWS", "Elastic"]
severity = "high"
tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_cloudtrail_logging_deleted.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/26"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 47
rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_cloudtrail_logging_suspended.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/10"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
risk_score = 47
rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/15"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 47
rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_config_service_rule_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/26"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
risk_score = 47
rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_configuration_recorder_stopped.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/16"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 73
rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
severity = "high"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_ec2_flow_log_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/15"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 73
rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
severity = "high"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_ec2_network_acl_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/26"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
risk_score = 47
rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_guardduty_detector_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/28"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 73
rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
severity = "high"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/27"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 21
rule_id = "227dc608-e558-43d9-b521-150772250bae"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_waf_acl_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 47
rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/09"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 47
rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/execution_via_system_manager.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/06"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/06"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-
risk_score = 21
rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/exfiltration_ec2_snapshot_change_activity.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/24"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 47
rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/impact_cloudtrail_logging_updated.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/10"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 21
rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/impact_cloudwatch_log_group_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/18"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 47
rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/impact_cloudwatch_log_stream_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/20"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 47
rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/impact_ec2_disable_ebs_encryption.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/05"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
risk_score = 47
rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/impact_iam_deactivate_mfa_device.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/26"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
risk_score = 47
rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/impact_iam_group_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 21
rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/impact_rds_cluster_deletion.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
risk_score = 47
rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/impact_rds_instance_cluster_stoppage.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/20"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -30,7 +30,7 @@ references = [
risk_score = 47
rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d"
severity = "medium"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/initial_access_console_login_root.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/11"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
risk_score = 73
rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
severity = "high"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/initial_access_password_recovery.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/02"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-c
risk_score = 21
rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/persistence_ec2_network_acl_creation.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/04"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
risk_score = 21
rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/persistence_iam_group_creation.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/06/05"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 21
rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/persistence_rds_cluster_creation.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/20"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
risk_score = 21
rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/privilege_escalation_root_login_without_mfa.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/06"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
risk_score = 21
rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/aws/privilege_escalation_updateassumerolepolicy.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/06"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/07"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-
risk_score = 21
rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
severity = "low"
tags = ["AWS", "Elastic"]
tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
risk_score = 73
rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0"
severity = "high"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/credential_access_okta_brute_force_or_password_spraying.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/16"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/16"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ references = [
risk_score = 47
rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
severity = "medium"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "threshold"
query = '''
rules/okta/impact_attempt_to_revoke_okta_api_token.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 21
rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/impact_possible_okta_dos_attack.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
risk_score = 47
rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68"
severity = "medium"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
risk_score = 47
rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588"
severity = "medium"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 21
rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/okta_attempt_to_delete_okta_policy.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/28"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/28"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
risk_score = 21
rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 21
rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/okta_attempt_to_modify_okta_network_zone.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
risk_score = 47
rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3"
severity = "medium"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Network", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/okta_attempt_to_modify_okta_policy.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
risk_score = 21
rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/01"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/01"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 47
rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
severity = "medium"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/okta_threat_detected_by_okta_threatinsight.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
risk_score = 47
rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9"
severity = "medium"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 21
rule_id = "b8075894-0b62-46e5-977c-31275da34419"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/persistence_attempt_to_create_okta_api_token.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
risk_score = 21
rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/20"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/20"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 21
rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/persistence_attempt_to_deactivate_okta_policy.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
risk_score = 21
rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"]
type = "query"
query = '''
rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/21"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/05/21"
updated_date = "2020/07/28"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 21
rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181"
severity = "low"
tags = ["Elastic", "Okta"]
tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"]
type = "query"
query = '''