From e08ff6c55d2e8236ec42b29f32d9d4764a3f20c2 Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Tue, 21 Jul 2020 12:27:42 -0400 Subject: [PATCH] [Rule Tuning] Update Cloud rules with note field (#79) Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> --- rules/aws/collection_cloudtrail_logging_created.toml | 1 + .../aws/credential_access_iam_user_addition_to_group.toml | 3 +++ .../credential_access_secretsmanager_getsecretvalue.toml | 1 + rules/aws/defense_evasion_cloudtrail_logging_deleted.toml | 1 + .../aws/defense_evasion_cloudtrail_logging_suspended.toml | 1 + rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml | 1 + .../aws/defense_evasion_config_service_rule_deletion.toml | 1 + .../defense_evasion_configuration_recorder_stopped.toml | 1 + rules/aws/defense_evasion_ec2_flow_log_deletion.toml | 1 + rules/aws/defense_evasion_ec2_network_acl_deletion.toml | 1 + rules/aws/defense_evasion_guardduty_detector_deletion.toml | 1 + .../defense_evasion_s3_bucket_configuration_deletion.toml | 1 + rules/aws/defense_evasion_waf_acl_deletion.toml | 1 + .../defense_evasion_waf_rule_or_rule_group_deletion.toml | 1 + rules/aws/execution_via_system_manager.toml | 3 +++ rules/aws/exfiltration_ec2_snapshot_change_activity.toml | 1 + rules/aws/impact_cloudtrail_logging_updated.toml | 3 +++ rules/aws/impact_cloudwatch_log_group_deletion.toml | 3 +++ rules/aws/impact_cloudwatch_log_stream_deletion.toml | 3 +++ rules/aws/impact_ec2_disable_ebs_encryption.toml | 1 + rules/aws/impact_iam_deactivate_mfa_device.toml | 1 + rules/aws/impact_iam_group_deletion.toml | 1 + rules/aws/impact_rds_cluster_deletion.toml | 1 + rules/aws/impact_rds_instance_cluster_stoppage.toml | 1 + rules/aws/initial_access_console_login_root.toml | 3 +++ rules/aws/initial_access_password_recovery.toml | 1 + rules/aws/persistence_ec2_network_acl_creation.toml | 1 + rules/aws/persistence_iam_group_creation.toml | 1 + rules/aws/persistence_rds_cluster_creation.toml | 3 +++ rules/aws/privilege_escalation_root_login_without_mfa.toml | 1 + rules/aws/privilege_escalation_updateassumerolepolicy.toml | 1 + .../credential_access_attempted_bypass_of_okta_mfa.toml | 1 + rules/okta/impact_attempt_to_revoke_okta_api_token.toml | 1 + rules/okta/impact_possible_okta_dos_attack.toml | 1 + ...l_access_suspicious_activity_reported_by_okta_user.toml | 7 +++++++ rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml | 1 + rules/okta/okta_attempt_to_delete_okta_policy.toml | 1 + rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml | 1 + rules/okta/okta_attempt_to_modify_okta_network_zone.toml | 1 + rules/okta/okta_attempt_to_modify_okta_policy.toml | 1 + ...mpt_to_modify_or_delete_application_sign_on_policy.toml | 1 + rules/okta/okta_threat_detected_by_okta_threatinsight.toml | 1 + ...ce_administrator_privileges_assigned_to_okta_group.toml | 1 + .../okta/persistence_attempt_to_create_okta_api_token.toml | 1 + ...ce_attempt_to_deactivate_mfa_for_okta_user_account.toml | 1 + .../persistence_attempt_to_deactivate_okta_policy.toml | 1 + ...attempt_to_reset_mfa_factors_for_okta_user_account.toml | 1 + 47 files changed, 67 insertions(+) diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index f925ec4d5..75245e9ae 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS CloudTrail Log Created" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html", diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index bbdedd318..0cd950a7b 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -21,6 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS IAM User Addition to Group" +note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"] risk_score = 21 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" @@ -45,6 +46,8 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index 4430f0efb..3498f44bc 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -22,6 +22,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS Access Secret in Secrets Manager" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/", diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index f295acd48..dd1d71708 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS CloudTrail Log Deleted" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html", diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 29c7c524a..22b1c80cc 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -24,6 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS CloudTrail Log Suspended" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html", diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 4a947f07e..53cf3adb7 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS CloudWatch Alarm Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html", diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index 6379237f9..cf6302504 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -24,6 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS Config Service Tampering" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html", diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index 2f80e5224..021caf468 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS Configuration Recorder Stopped" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html", diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index 85339644b..0d3805bb2 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS EC2 Flow Log Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html", diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 3599c2c42..09ddee603 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS EC2 Network Access Control List Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index a50b74211..1f0494d7a 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS GuardDuty Detector Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html", diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 3080d30f5..0e2832693 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS S3 Bucket Configuration Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index 09e482097..77eab6bc2 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS WAF Access Control List Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html", diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 750fb1348..bdbbf081f 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS WAF Rule or Rule Group Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html", diff --git a/rules/aws/execution_via_system_manager.toml b/rules/aws/execution_via_system_manager.toml index 11b9974ea..f072b8504 100644 --- a/rules/aws/execution_via_system_manager.toml +++ b/rules/aws/execution_via_system_manager.toml @@ -24,6 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS Execution via System Manager" +note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"] risk_score = 21 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa" @@ -48,6 +49,8 @@ reference = "https://attack.mitre.org/techniques/T1064/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 224914317..2e1c777c2 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS EC2 Snapshot Activity" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index 171ee2bea..cc0b7df65 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS CloudTrail Log Updated" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html", @@ -47,6 +48,8 @@ reference = "https://attack.mitre.org/techniques/T1492/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index 4c665d5da..2d022652f 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS CloudWatch Log Group Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html", @@ -50,6 +51,8 @@ reference = "https://attack.mitre.org/techniques/T1485/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 95be708c7..52e61d8f6 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS CloudWatch Log Stream Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html", @@ -50,6 +51,8 @@ reference = "https://attack.mitre.org/techniques/T1485/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index e8bb6427c..a2c3e5e90 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS EC2 Encryption Disabled" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index 6e03a9517..465d85476 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -24,6 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS IAM Deactivation of MFA Device" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html", diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index ade99f213..8c57abef6 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS IAM Group Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html", diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index 211fda756..a7fab6dfd 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS RDS Cluster Deletion" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index a73e76f5c..0aa03af7d 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -20,6 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS RDS Instance/Cluster Stoppage" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index f063a28d6..40b5781cc 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -21,6 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS Management Console Root Login" +note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] risk_score = 73 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" @@ -45,6 +46,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index f3cf8a31c..dc4c7a57b 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS IAM Password Recovery Requested" +note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index ab268c6d2..eb7effaf3 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS EC2 Network Access Control List Creation" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index 489919b23..fb625fde3 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS IAM Group Creation" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html", diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index dcf515947..bbf0e2ca0 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS RDS Cluster Creation" +note = "The AWS Filebeat module must be enabled to use this rule." references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", @@ -52,6 +53,8 @@ reference = "https://attack.mitre.org/techniques/T1108/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index 2f3ed2c0f..23c263180 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -22,6 +22,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS Root Login Without MFA" +note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] risk_score = 21 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc" diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index 0d9974626..4b0f3ae19 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -23,6 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License" name = "AWS IAM Assume Role Policy Update" +note = "The AWS Filebeat module must be enabled to use this rule." references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"] risk_score = 21 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd" diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 03050c704..34d5e2ecb 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -14,6 +14,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempted Bypass of Okta MFA" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml index 766f7fa2b..45020099a 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -20,6 +20,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Revoke Okta API Token" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml index de7e1f464..b1794efc5 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -14,6 +14,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Possible Okta DoS Attack" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index b39d71f04..7e29f4183 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -15,6 +15,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Suspicious Activity Reported by Okta User" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", @@ -42,6 +43,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -54,6 +57,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -66,6 +71,8 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml index 1610fe347..fb4ca253d 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml @@ -20,6 +20,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Deactivate Okta MFA Rule" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml index 39156648f..d502221f3 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -21,6 +21,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Delete Okta Policy" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml index 4608ebc87..2e7ff7890 100644 --- a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml +++ b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml @@ -20,6 +20,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Modify Okta MFA Rule" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml index 896946c84..e19450ec8 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -21,6 +21,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Modify Okta Network Zone" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml index 0b9c9bb7d..58a849a2f 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -21,6 +21,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Modify Okta Policy" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index f255af906..dfece9f50 100644 --- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -20,6 +20,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Modification or Removal of an Okta Application Sign-On Policy" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml index 048cdf0d9..e56cce1c6 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -15,6 +15,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Threat Detected by Okta ThreatInsight" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 7b5a556fb..67b05bd7a 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -20,6 +20,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Administrator Privileges Assigned to Okta Group" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml index d8bc193a8..01a5aa6c5 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -21,6 +21,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Create Okta API Token" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 28e7408ef..1a80d800b 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -20,6 +20,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Deactivate MFA for Okta User Account" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml index 8500b070d..df081aaaa 100644 --- a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml +++ b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml @@ -21,6 +21,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Deactivate Okta Policy" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 757b1af65..4eeaf0b01 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -20,6 +20,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License" name = "Attempt to Reset MFA Factors for Okta User Account" +note = "The Okta Filebeat module must be enabled to use this rule." references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/",