From ef453d8f4d37cfc6332fa13757dde6d2d5ce8f8b Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri, 8 Nov 2024 23:11:18 -0500 Subject: [PATCH] [Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261) * adding investigation fields to specific aws rules * updated patch * removing min-stack requirements * removed user.name redundancy * adjusted order of investigation fields * adding source address --- detection_rules/etc/non-ecs-schema.json | 2 +- pyproject.toml | 2 +- ...m_sendcommand_with_command_parameters.toml | 21 +++++++++++- ...se_evasion_cloudtrail_logging_deleted.toml | 21 ++++++++++-- ...y_ec2_multi_region_describe_instances.toml | 9 ++++- ..._multiple_discovery_api_calls_via_cli.toml | 8 ++++- ...overy_new_terms_sts_getcalleridentity.toml | 32 ++++++++++++----- ...command_document_created_by_rare_user.toml | 31 +++++++++++++---- ...n_sns_email_subscription_by_rare_user.toml | 18 +++++++++- ..._s3_bucket_enumeration_or_brute_force.toml | 9 ++++- ..._group_configuration_change_detection.toml | 18 +++++++++- ...user_via_assumed_role_on_ec2_instance.toml | 16 ++++++++- ..._created_access_keys_for_another_user.toml | 34 +++++++++++++++++-- ...stratoraccess_policy_attached_to_user.toml | 33 ++++++++++++++++-- ...tomer_managed_policy_attached_to_role.toml | 20 +++++++++-- ...escalation_role_assumption_by_service.toml | 18 +++++++++- ...ge_escalation_role_assumption_by_user.toml | 20 ++++++++++- ...attempts_to_use_denied_models_by_user.toml | 10 +++++- ...ation_exception_errors_by_single_user.toml | 11 +++++- ...e_iam_instance_request_to_iam_service.toml | 19 ++++++++++- 20 files changed, 315 insertions(+), 37 deletions(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 1b3b24beb..ef82fd537 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -152,7 +152,7 @@ "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword", "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword", "aws.cloudtrail.flattened.request_parameters.roleName": "keyword", - "aws.cloudtrail.flattened.request_paramters.policyArn": "keyword", + "aws.cloudtrail.flattened.request_parameters.policyArn": "keyword", "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword" }, "logs-azure.signinlogs-*": { diff --git a/pyproject.toml b/pyproject.toml index 0aece7e24..0796f6b4c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.1.5" +version = "0.1.6" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml index 15ff7f827..ee87869d3 100644 --- a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml +++ b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml @@ -2,7 +2,7 @@ creation_date = "2022/09/03" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -87,6 +87,25 @@ and process.args: ( ) ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "process.user.name", + "process.entry_leader.group.name", + "process.entry_leader.real_user.name", + "event.action", + "event.type", + "host.os.type", + "host.os.kernel", + "process.entry_leader.executable", + "process.entry_leader.working_directory", + "process.parent.executable", + "process.executable", + "process.hash.sha256", + "process.parent.command_line", + "process.command_line", + "process.args" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 0bbea8b84..491774c61 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -86,9 +86,26 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success +event.dataset:aws.cloudtrail + and event.provider:cloudtrail.amazonaws.com + and event.action:DeleteTrail + and event.outcome:success ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "source.address", + "user_agent.original", + "aws.cloudtrail.flattened.request_parameters.name", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml index 711d3d688..ac33fffcf 100644 --- a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml +++ b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml @@ -2,7 +2,7 @@ creation_date = "2024/08/26" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -107,6 +107,13 @@ from logs-aws.cloudtrail-* | sort target_time_window desc ''' +[rule.investigation_fields] +field_names = [ + "aws.cloudtrail.user_identity.arn", + "target_time_window", + "region_count", + "window_count" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml b/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml index 8edc29e98..a3e05953d 100644 --- a/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml +++ b/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" min_stack_version = "8.13.0" -updated_date = "2024/11/04" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -133,6 +133,12 @@ from logs-aws.cloudtrail* | sort unique_api_count desc ''' +[rule.investigation_fields] +field_names = [ + "time_window", + "aws.cloudtrail.user_identity.arn", + "unique_api_count" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index ac3e56e38..c1e8b989b 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -2,19 +2,19 @@ creation_date = "2024/05/24" integration = ["aws"] maturity = "production" -updated_date = "2024/09/30" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ -An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and -determine what account they are using. This rule looks for the first time an identity has called the -STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. +An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and +determine what account they are using. This rule looks for the first time an identity has called the +STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using. """ false_positives = [ """ - Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. + Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule. """, ] @@ -29,7 +29,7 @@ note = """## Triage and analysis ### Investigating AWS GetCallerIdentity API Called for the First Time AWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users. -The `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. +The `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. No permissions are required to run this operation and the same information is returned even when access is denied. This rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days. @@ -93,10 +93,26 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" and event.provider: "sts.amazonaws.com" and event.action: "GetCallerIdentity" -and not aws.cloudtrail.user_identity.type: "AssumedRole" +event.dataset: "aws.cloudtrail" + and event.provider: "sts.amazonaws.com" + and event.action: "GetCallerIdentity" + and event.outcome: "success" + and not aws.cloudtrail.user_identity.type: "AssumedRole" ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.arn", + "user_agent.original", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml index 1818b53dd..6062fe1ad 100644 --- a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml +++ b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml @@ -2,16 +2,19 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2024/11/01" +updated_date = "2024/11/07" [rule] author = ["Elastic"] description = """ -Identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, data exfiltration and more. +Identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this +action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to +unauthorized access, command and control, data exfiltration and more. """ false_positives = [ """ - Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized and the user is known before taking action. + Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized + and the user is known before taking action. """, ] from = "now-9m" @@ -19,8 +22,7 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS SSM Command Document Created by Rare User" -note = """ -## Triage and Analysis +note = """## Triage and Analysis ### Investigating AWS SSM Command Document Created by Rare User @@ -55,7 +57,7 @@ For further guidance on managing and securing AWS Systems Manager in your enviro """ references = [ "https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateDocument.html", - "https://docs.aws.amazon.com/systems-manager/latest/userguide/documents.html" + "https://docs.aws.amazon.com/systems-manager/latest/userguide/documents.html", ] risk_score = 21 rule_id = "50a2bdea-9876-11ef-89db-f661ea17fbcd" @@ -68,7 +70,7 @@ tags = [ "Data Source: AWS Systems Manager", "Resources: Investigation Guide", "Use Case: Threat Detection", - "Tactic: Execution" + "Tactic: Execution", ] timestamp_override = "event.ingested" type = "new_terms" @@ -81,6 +83,21 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.response_elements: *documentType=Command* ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml index ae249f709..256caac2f 100644 --- a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml +++ b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2024/11/01" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -81,6 +81,22 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.request_parameters: *protocol=email* ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.flattened.request_parameters.protocol", + "aws.cloudtrail.flattened.request_parameters.topicArn", + "aws.cloudtrail.flattened.response_elements.subscriptionArn", + "aws.cloudtrail.request_parameters" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 8513689c4..37d950ef7 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/05/01" maturity = "production" -updated_date = "2024/10/09" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" min_stack_version = "8.13.0" @@ -97,6 +97,13 @@ from logs-aws.cloudtrail* | where failed_requests > 40 ''' +[rule.investigation_fields] +field_names = [ + "source.address", + "tls.client.server_name", + "cloud.account.id", + "failed_requests" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 8c70b9fab..c01a4fe6b 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" [rule] author = ["Elastic", "Austin Songer"] @@ -100,6 +100,22 @@ event.dataset: "aws.cloudtrail" and event.outcome: "success" ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "aws.cloudtrail.flattened.request_parameters.instanceId", + "event.action", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml index bd9ea86e2..787afc8f6 100644 --- a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2024/11/04" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -96,6 +96,20 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.user_identity.arn: *i-* ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 89988bcd0..667975159 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2024/10/09" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type in technical preview as of 8.13" min_stack_version = "8.13.0" @@ -104,9 +104,39 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index and event.action == "CreateAccessKey" and event.outcome == "success" and user.name != user.target.name -| keep @timestamp, event.provider, event.action, event.outcome, user.name, user.target.name +| keep + @timestamp, + cloud.region, + event.provider, + event.action, + event.outcome, + user.name, + source.address, + user.target.name, + user_agent.original, + aws.cloudtrail.request_parameters, + aws.cloudtrail.response_elements, + aws.cloudtrail.user_identity.arn, + aws.cloudtrail.user_identity.type, ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "user.target.name", + "event.action", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 0518c0b92..113fc52ef 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2024/10/09" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type in technical preview as of 8.13." min_stack_version = "8.13.0" @@ -103,9 +103,38 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index | where event.provider == "iam.amazonaws.com" and event.action == "AttachUserPolicy" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}" | where policyName == "AdministratorAccess" -| keep @timestamp, event.provider, event.action, event.outcome, policyName, target.userName +| keep + @timestamp, + cloud.region, + event.provider, + event.action, + event.outcome, + policyName, + target.userName, + aws.cloudtrail.request_parameters, + aws.cloudtrail.user_identity.arn, + related.user, + user_agent.original, + user.name, + source.address ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "user_agent.original", + "target.userName", + "event.action", + "policyName", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters" +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 8bbbd1a4d..0e20b0ca5 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2024/11/04" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -94,9 +94,25 @@ event.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "AttachRolePolicy" and event.outcome: "success" - and not aws.cloudtrail.flattened.request_paramters.policyArn: arn\:aws\:iam\:\:aws\:policy* + and not aws.cloudtrail.flattened.request_parameters.policyArn: arn\:aws\:iam\:\:aws\:policy* ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "aws.cloudtrail.flattened.request_parameters.policyArn", + "aws.cloudtrail.flattened.request_parameters.roleName", + "event.action", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index 8a417a91b..c23ae37fb 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,7 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" [rule] author = ["Elastic", "Austin Songer"] @@ -103,6 +103,22 @@ event.dataset: "aws.cloudtrail" ) ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "source.address", + "aws.cloudtrail.user_identity.invoked_by", + "aws.cloudtrail.flattened.request_parameters.roleArn", + "aws.cloudtrail.flattened.request_parameters.roleSessionName", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 99720156a..da41ca73b 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -94,6 +94,24 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser") ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "user.name", + "user_agent.original", + "source.address", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "aws.cloudtrail.flattened.request_parameters.roleArn", + "aws.cloudtrail.flattened.request_parameters.roleSessionName", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml index 17aa3aae7..d0658be95 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/05/02" maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" min_stack_version = "8.13.0" @@ -85,3 +85,11 @@ from logs-aws_bedrock.invocation-* | where total_denials > 3 | sort total_denials desc ''' + +[rule.investigation_fields] +field_names = [ + "user.id", + "cloud.account.id", + "gen_ai.request.model.id", + "total_denials" +] diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml index c2f124cd5..2e006fe16 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" min_stack_version = "8.13.0" @@ -92,3 +92,12 @@ from logs-aws_bedrock.invocation-* | stats total_denials = count(*) by target_time_window, user.id, cloud.account.id | where total_denials > 3 ''' + +[rule.investigation_fields] +field_names = [ + "target_time_window", + "user.id", + "cloud.account.id", + "total_denials" + +] diff --git a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml index fcc0f8c20..e4a2ed6fd 100644 --- a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml +++ b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml @@ -3,7 +3,7 @@ bypass_bbr_timing = true creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -64,6 +64,23 @@ any where event.dataset == "aws.cloudtrail" ) ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "source.address", + "user.name", + "user.id", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "user.target.name", + "event.action", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" +] [[rule.threat]] framework = "MITRE ATT&CK"