Completing Deprecation process for AWS EC2 Snapshot Activity
- It's been 2 rule releases since initial name change
- changed maturity to deprecation
- updated deprecation_date
- moved file to _deprecated folder
* [Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules
This PR is in part a response to the following issues regarding the future of flattened fields in AWS, which we use as an essential part of our ruleset. However, this is also in response to the ongoing ruleset audit. Some of the flattened fields used are not truly necessary for the alert to trigger or can be replaced by a different field. Those changes have been made here and our non_ecs file has been edited to remove the unnecessary fields. Additionally, flattened fields have been removed from highlighted fields, and from investigation guides.
* Update discovery_ec2_userdata_request_for_ec2_instance.toml
updated_date
* Update execution_ssm_sendcommand_by_rare_user.toml
updated_date
* Update non-ecs-schema.json
add necessary field for ModifyInstanceAttribute action
* Update persistence_ec2_security_group_configuration_change_detection.toml
added missing event.action AuthorizeSecurityGroupIngress, narrowed scope for ModifyInstanceAttribute action by adding a necessary flattened_field
* Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
updated min_stack_version for new field target.entity.id
* Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
* Update privilege_escalation_iam_update_assume_role_policy.toml
updating min_stack to account of target.entity.id field
* Update impact_s3_excessive_object_encryption_with_sse_c.toml
adding highlighted fields
* Update rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
* Apply suggestions from code review
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* new rule Microsoft Entra ID Suspicious Cloud Device Registration
* adjusted backticks in non-ecs and rule
* linted
* adjusted uuid; bumped patch version
* [Rule Tunings] AWS SSM Command Document Created by Rare User
## AWS SSM Command Document Created by Rare User
Rule executes as expected and has very few alerts in telemetry. However, it is one of the rules timing out occasionally.
- reduced execution window
- reduced new terms history window
- replaced wildcards with the flattened field in the query, which should improve performance
- replaced `aws.cloudtrail.user_identity.arn` with combination of `cloud.account.id` and `user.name` to account for Assumed Roles. This will only evaluate the role instead of each individual role session, which will improve performance.
- added investigation fields
- corrected tags
- added mitre technique
## AWS SSM `SendCommand` Execution by Rare User"
- added investigation fields
- added tag
* update pyproject.toml
update pyproject.toml version
AWS Role Assumption By Service
The newest versions of this rule seem fine in telemetry and the rule executes as expected
- removed MD from description
- adjusted execution window for 1 m look back
- fixed inaccuracies in Investigation Guide
- added Lateral Movement tag
- adjusted highlighted fields
- reduced history window from 14 to 10 days
AWS Role Assumption By User
This rule seem fine in telemetry and the rule executes as expected
- removed MD from description
- fixed inaccuracies in Investigation Guide
- added Lateral Movement tag
- adjusted highlighted fields
- added `cloud.account.id` to new_terms field to account for duplicate user.names across cloud accounts
- replaced new terms flattened field for `aws.cloudtrail.resources.arn`, which gives the same result and remains consistent with the other rule.
Rule is triggering as expected, very low instances of alerts in telemetry
- adjusted execution window
- slight edits to IG for accuracy
- removed exclusion `and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*` from the query. This is a service-linked role meant to be used by AWS internal services. Therefore, the existing exclusion `and not source.address: "ssm.amazonaws.com"` already excludes the use of this role by the SSM service. I show this in the screenshot below. This will remove the use of wildcards in the query and improve performance.
- changed the new terms fields to use combination of `cloud.account.id` and `user.name` so that only roles (and not individual role sessions) are being evaluated. adding `cloud.account.id` accounts for duplicate user.names across multiple accounts.
* tuning rule Suspicious Microsoft 365 Mail Access by Unusual ClientAppId
* adjusted tactic tag
* updating patch version
* updating patch version
* bumping patch version
* [Rule Tuning] First Time Seen NewCredentials Logon Process
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New Rule] Forbidden Request from Unusual User Agent in Kubernetes
* Update rules/integrations/kubernetes/execution_forbidden_request_from_unsual_user_agent.toml
Mika Ayenson, PhD