* [Rule Tuning] AWS IAM Assume Role Policy Update
- changed time window to have only 1 minute lookback
- changed the new terms field to look at combination of cloud.account.id, user.name, and roleName. This is to account for the problem with using user_identity.arn for AssumedRoles. Roles are identities in AWS that are granted a set of permissions and can then be assumed by various users across many different sessions. Each of these sessions is designated a session name which is attached to the `user_identity.arn`. This means that each time a Role is assumed, there is a unique user_identity.arn created. This rule is meant to capture unique instances of the Role itself which is captured separate from the individual session names in the `user.name` field. `cloud.account.id` has been added to the new_terms fields to account for organizations with multiple AWS account ids, which may reuse certain user.names across accounts.
This may improve performance especially in environments where there are many users assuming the same role and updating it's trust policy as a part of normal operations.
* remove markdown from description
* [Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance
- changed execution window
- explicitly added flattened fields to query, to reduce wildcard usage
- added investigation fields
- changed new terms field to evaluate `user.name` over `aws.cloudtrail.user_identity.arn` so that only the role name for Assumed Role identitites is being evaluated instead of each individual session. This should greatly impact performance as most instances of this rule in telemetry is triggered by Assumed Roles.
* Apply suggestions from code review
* remove instanceId parameter
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New Rule] AWS CloudTrail Log Evasion
Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true.
This is a known gap in AWS with no immediate remediation steps. While the size constraint issue affects additional services, IAM policy-related API calls are the only that pose a security risk which is why this rule is scoped specifically to `event.provider: iam.amazonaws.com`. For additional background on the evasion technique refer to Permisso's [research](https://permiso.io/blog/cloudtrail-logging-evasion-where-policy-size-matters).
* aligning IG and rule name
* added investigation fields
added investigation fields
* change severity
* updating pyproject version
* [Rule Tuning] AWS EC2 Deprecated AMI Discovery
Rule triggers as expected
Telemetry shows only known FP risks from tools that are intentionally including deprecated AMIs in their searches (these should be excluded by customers)
- changed the query to reduce use of multiple wildcards
- changed the execution window
- removed unnecessary parts of IG
- added to the highlighted fields
* update non-ecs-schema.json
update non-ecs-schema.json with field "aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner"
* update version in pyproject.toml
update version in pyproject.toml
* Update pyproject.toml
* [Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
- Edited Rule Name, Description, and Investigation Guide to better align with the behavior captured by this rule
- adjusted execution window
- added highlighted fields
* adding account id to highlighted fields
adding account id to highlighted fields
* changing AWS EC2 tag for consistency across EC2 rules
changing AWS EC2 tag for consistency across EC2 rules
* [Rule Tuning][New Rule][Deprecation] AWS EC2 EBS Snapshot Activity Rules
1. Rule Tuning - to prevent duplicate alerts for AWS EC2 EBS Snapshot Shared of Made Public, the execution interval has been adjusted from 5m interval with 4m lookback to 5m interval with 1m lookback.
2. New Rule - to capture when access is removed from an EBS Snapshot. While this may be intentional behavior it could indicate malicious attempts to inhibit system recovery efforts post-compromise, or to maintain exclusive access to critical backups by removing permissions for all users except their own controlled account.
3. Deprecate - AWS EC2 Snapshot Activity is too broad a rule and the behavior of the other 2 rules resulting in duplicate alerts and non-specific context for which permission change type is happening (`add` vs `remove`).
* adding updated_date to new rule
* adding Deprecated to IG title
* adding source.address to keep fields
* tuning Microsoft Entra ID Protection Anonymized IP Risk Detection
* adjusted tags and mappings
* added max signals
* adjusted file name
* adding max signals note
* adjusted mitre mapping
* [Tuning] AWS Access Token Used from Multiple Addresses
Rule tuning for AWS STS Temporary IAM Session Token Used from Multiple Addresses
* update min stack
* add access key identification to IG
add access key identification to IG
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* new rule Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails
* updating uuid
* adjusted query logic per KQL parser
* adjusted metadata for integration
* rule tuning 'Potential Microsoft 365 Brute Force via Entra ID Sign-Ins'
* updated lookback windows, date truncation times
* updated investigation guide
* new rule 'Suspicious Email Access by First-Party Application via Microsoft Graph'
* updated patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* Add exceptions for non-interactive signin failures.
Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes:
- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
- 50057 : User account is disabled
* Update rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
* Update metadata for `updated_date`
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* tuning rule to exclude service principals added by MSFT
* added additional exclusions
* updated rule name and file name
* updated investigation guide and mitre
* tuning 'Azure Service Principal Credentials Added'
* updated patch version
* added investigation guide
* updating patch version
* updating patch version
Terrance DeJesus