Rule is executing as expected, however it is alerting on failed requests. Low alert telemetry.
This tuning:
- removed markdown and edited description to be more specific
- reduced execution window for 1 min lookback
- name change to add `AWS` consistent with all other rules
- added references that reflect in the wild threats and persistence usage
- increased risk_score and severity to medium accounting for usage as persistence mechanism in the wild
- added Persistence tag and Mitre tactic, technique, subtechnique
- added `event.outcome: success` criteria to query
- edited investigation guide to be more accurate reflection of steps required for investigating alert, including appropriate response action
- added highlighted fields
** Note: only IAMUser and Root user identities can call this actions so we can use `aws.cloudtrail.user_identity.arn` as the new terms field without worrying about Role vs Role + Session issue seen with other new_terms rules
* [Tuning] First Time AWS Cloudformation Stack Creation by User
- corrected a creation_date error
- Removed `CreateStackSet` API call as this only creates a blueprint for creating stack instances across multiple AWS accounts and regions but does not actually create the resources
- Added `CreateStackInstances` API call which is used to create resources defined in the StackSet
- removed user from rule name as this also triggers for roles
- edited description and investigation guide
- added Mitre technique
* adding highlighted fields
This rule is evaluating the "new terms" against every individual role session, rather than against the Role itself. This is causing a massive volume of alerts
- updated rule description and investigation guide
- reduced execution window and interval
- replaced new terms from `user.id` to combination of `cloud.account.id` and `user.name` to account for evaluation against Roles and in the event that separate AWS accounts under the same Org reuse IAM user names. This will only evaluate the Role instead of each individual role session, which should greatly improve performance.
* [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time
Rule is executing as expected with no troubling alerts in telemetry. For tuning I've:
- reduced the execution window
- removed MD from description and FP as it's not supported in Kibana UI
- edited some of the language of IG to speak about the exclusion of AssumedRoles
- edited the highlighted fields for consistency across AWS rules
* updated broken link
updated broken reference link
* [Rule Tuning] AWS STS AssumeRole with New MFA Device
This rule is triggering as expected and low volume of alerts in telemetry. This tuning:
- slight edits to IG
- removed user.id wildcard usage in query as this field always exists for these events
- added the from and interval fields for consistency across rules (they are currently using the same values by default so no real change here)
* adding investigation fields
adding investigation fields
* adjusted Potential Widespread Malware Infection Across Multiple Hosts
* adjusted Microsoft Azure or Mail Sign-in from a Suspicious Source
* adjusted AWS EC2 Multi-Region DescribeInstances API Calls
* adjusted AWS Discovery API Calls via CLI from a Single Resource
* adjusted AWS Service Quotas Multi-Region Requests
* adjusted AWS EC2 EBS Snapshot Shared or Made Public
* adjusted AWS S3 Bucket Enumeration or Brute Force
* adjusted AWS EC2 EBS Snapshot Access Removed
* adjusted Potential AWS S3 Bucket Ransomware Note Uploaded
* adjusted AWS S3 Object Encryption Using External KMS Key
* adjusted AWS S3 Static Site JavaScript File Uploaded
* adjusted AWS Access Token Used from Multiple Addresses
* adjusted AWS Signin Single Factor Console Login with Federated User
* adjusted AWS IAM AdministratorAccess Policy Attached to Group
* adjusted AWS IAM AdministratorAccess Policy Attached to Role
* adjusted AWS IAM AdministratorAccess Policy Attached to User
* adjusted AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
* adjusted AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
* adjusted AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
* adjusted Unusual High Confidence Content Filter Blocks Detected
* adjusted Potential Abuse of Resources by High Token Count and Large Response Sizes
* AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
* Unusual High Denied Sensitive Information Policy Blocks Detected
* adjusted Unusual High Denied Topic Blocks Detected
* adjusted AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
* adjusted Unusual High Word Policy Blocks Detected
* adjusted Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties
* adjusted Azure Entra MFA TOTP Brute Force Attempts
* adjusted Microsoft Entra ID Sign-In Brute Force Activity
* adjusted Microsoft Entra ID Exccessive Account Lockouts Detected
* adjusted Microsoft 365 Brute Force via Entra ID Sign-Ins
* deprecated Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
* adjusted Microsoft Entra ID Session Reuse with Suspicious Graph Access
* adjusted Suspicious Microsoft OAuth Flow via Auth Broker to DRS
* adjusted Potential Denial of Azure OpenAI ML Service
* adjusted Azure OpenAI Insecure Output Handling
* adjusted Potential Azure OpenAI Model Theft
* adjusted M365 OneDrive Excessive File Downloads with OAuth Token
* adjusted Multiple Microsoft 365 User Account Lockouts in Short Time Window
* adjusted Potential Microsoft 365 User Account Brute Force
* adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code
* adjusted Multiple Device Token Hashes for Single Okta Session
* adjusted Multiple Okta User Authentication Events with Client Address
* adjusted Multiple Okta User Authentication Events with Same Device Token Hash
* adjusted High Number of Okta Device Token Cookies Generated for Authentication
* adjusted Okta User Sessions Started from Different Geolocations
* adjusted High Number of Egress Network Connections from Unusual Executable
* adjusted Unusual Base64 Encoding/Decoding Activity
* adjusted Potential Port Scanning Activity from Compromised Host
* adjusted Potential Subnet Scanning Activity from Compromised Host
* adjusted Unusual File Transfer Utility Launched
* adjusted Potential Malware-Driven SSH Brute Force Attempt
* adjusted Unusual Process Spawned from Web Server Parent
* adjusted Unusual Command Execution from Web Server Parent
* adjusted Rare Connection to WebDAV Target
* adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences
* adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
* adjusted Unusual File Creation by Web Server
* adjusted Potential PowerShell Obfuscation via High Special Character Proportion
* adjusted Potential Malicious PowerShell Based on Alert Correlation
* adjusted Potential PowerShell Obfuscation via Character Array Reconstruction
* adjusted Potential PowerShell Obfuscation via String Reordering
* adjusted Potential PowerShell Obfuscation via String Concatenation
* adjusted Potential PowerShell Obfuscation via Reverse Keywords
* adjusted PowerShell Obfuscation via Negative Index String Reversal
* adjusted Dynamic IEX Reconstruction via Method String Access
* adjusted Potential Dynamic IEX Reconstruction via Environment Variables
* adjusted Potential PowerShell Obfuscation via High Numeric Character Proportion
* adjusted Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
* adjusted Rare Connection to WebDAV Target
* adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences
* adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
* adjusted Potential PowerShell Obfuscation via Character Array Reconstruction
* adjusted Potential PowerShell Obfuscation via High Special Character Proportion
* adjusted Potential PowerShell Obfuscation via Special Character Overuse
* adjusted Potential PowerShell Obfuscation via String Reordering
* adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code
* adjusted fields that were inconsistent
* adjusted additional fields
* adjusted esql to Esql
* adjusted several rules for common field names
* updating rules
* updated dates
* updated dates
* updated ESQL fields
* lowercase all functions and logical operators
* adjusted dates for unit tests
* Update Esql_priv to Esql_temp as these don't hold PII
* PowerShell adjustments
* Make query comments consistent
* update comment
* reverted 2856446a-34e6-435b-9fb5-f8f040bfa7ed
* Update rules/windows/discovery_command_system_account.toml
* removed dot notation
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Completing Deprecation process for AWS EC2 Snapshot Activity
- It's been 2 rule releases since initial name change
- changed maturity to deprecation
- updated deprecation_date
- moved file to _deprecated folder
* [Rule Tunings] Reduce Usage of Flattened Fields in AWS Rules
This PR is in part a response to the following issues regarding the future of flattened fields in AWS, which we use as an essential part of our ruleset. However, this is also in response to the ongoing ruleset audit. Some of the flattened fields used are not truly necessary for the alert to trigger or can be replaced by a different field. Those changes have been made here and our non_ecs file has been edited to remove the unnecessary fields. Additionally, flattened fields have been removed from highlighted fields, and from investigation guides.
* Update discovery_ec2_userdata_request_for_ec2_instance.toml
updated_date
* Update execution_ssm_sendcommand_by_rare_user.toml
updated_date
* Update non-ecs-schema.json
add necessary field for ModifyInstanceAttribute action
* Update persistence_ec2_security_group_configuration_change_detection.toml
added missing event.action AuthorizeSecurityGroupIngress, narrowed scope for ModifyInstanceAttribute action by adding a necessary flattened_field
* Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
updated min_stack_version for new field target.entity.id
* Update privilege_escalation_iam_customer_managed_policy_attached_to_role.toml
* Update privilege_escalation_iam_update_assume_role_policy.toml
updating min_stack to account of target.entity.id field
* Update impact_s3_excessive_object_encryption_with_sse_c.toml
adding highlighted fields
* Update rules/integrations/aws/exfiltration_dynamodb_table_exported_to_s3.toml
* Apply suggestions from code review
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
* [Rule Tunings] AWS SSM Command Document Created by Rare User
## AWS SSM Command Document Created by Rare User
Rule executes as expected and has very few alerts in telemetry. However, it is one of the rules timing out occasionally.
- reduced execution window
- reduced new terms history window
- replaced wildcards with the flattened field in the query, which should improve performance
- replaced `aws.cloudtrail.user_identity.arn` with combination of `cloud.account.id` and `user.name` to account for Assumed Roles. This will only evaluate the role instead of each individual role session, which will improve performance.
- added investigation fields
- corrected tags
- added mitre technique
## AWS SSM `SendCommand` Execution by Rare User"
- added investigation fields
- added tag
* update pyproject.toml
update pyproject.toml version
AWS Role Assumption By Service
The newest versions of this rule seem fine in telemetry and the rule executes as expected
- removed MD from description
- adjusted execution window for 1 m look back
- fixed inaccuracies in Investigation Guide
- added Lateral Movement tag
- adjusted highlighted fields
- reduced history window from 14 to 10 days
AWS Role Assumption By User
This rule seem fine in telemetry and the rule executes as expected
- removed MD from description
- fixed inaccuracies in Investigation Guide
- added Lateral Movement tag
- adjusted highlighted fields
- added `cloud.account.id` to new_terms field to account for duplicate user.names across cloud accounts
- replaced new terms flattened field for `aws.cloudtrail.resources.arn`, which gives the same result and remains consistent with the other rule.
Rule is triggering as expected, very low instances of alerts in telemetry
- adjusted execution window
- slight edits to IG for accuracy
- removed exclusion `and not aws.cloudtrail.user_identity.arn: *AWSServiceRoleForAmazonSSM/StateManagerService*` from the query. This is a service-linked role meant to be used by AWS internal services. Therefore, the existing exclusion `and not source.address: "ssm.amazonaws.com"` already excludes the use of this role by the SSM service. I show this in the screenshot below. This will remove the use of wildcards in the query and improve performance.
- changed the new terms fields to use combination of `cloud.account.id` and `user.name` so that only roles (and not individual role sessions) are being evaluated. adding `cloud.account.id` accounts for duplicate user.names across multiple accounts.
* [Rule Tuning] AWS IAM Assume Role Policy Update
- changed time window to have only 1 minute lookback
- changed the new terms field to look at combination of cloud.account.id, user.name, and roleName. This is to account for the problem with using user_identity.arn for AssumedRoles. Roles are identities in AWS that are granted a set of permissions and can then be assumed by various users across many different sessions. Each of these sessions is designated a session name which is attached to the `user_identity.arn`. This means that each time a Role is assumed, there is a unique user_identity.arn created. This rule is meant to capture unique instances of the Role itself which is captured separate from the individual session names in the `user.name` field. `cloud.account.id` has been added to the new_terms fields to account for organizations with multiple AWS account ids, which may reuse certain user.names across accounts.
This may improve performance especially in environments where there are many users assuming the same role and updating it's trust policy as a part of normal operations.
* remove markdown from description
* [Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance
- changed execution window
- explicitly added flattened fields to query, to reduce wildcard usage
- added investigation fields
- changed new terms field to evaluate `user.name` over `aws.cloudtrail.user_identity.arn` so that only the role name for Assumed Role identitites is being evaluated instead of each individual session. This should greatly impact performance as most instances of this rule in telemetry is triggered by Assumed Roles.
* Apply suggestions from code review
* remove instanceId parameter
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New Rule] AWS CloudTrail Log Evasion
Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true.
This is a known gap in AWS with no immediate remediation steps. While the size constraint issue affects additional services, IAM policy-related API calls are the only that pose a security risk which is why this rule is scoped specifically to `event.provider: iam.amazonaws.com`. For additional background on the evasion technique refer to Permisso's [research](https://permiso.io/blog/cloudtrail-logging-evasion-where-policy-size-matters).
* aligning IG and rule name
* added investigation fields
added investigation fields
* change severity
* updating pyproject version
* [Rule Tuning] AWS EC2 Deprecated AMI Discovery
Rule triggers as expected
Telemetry shows only known FP risks from tools that are intentionally including deprecated AMIs in their searches (these should be excluded by customers)
- changed the query to reduce use of multiple wildcards
- changed the execution window
- removed unnecessary parts of IG
- added to the highlighted fields
* update non-ecs-schema.json
update non-ecs-schema.json with field "aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner"
* update version in pyproject.toml
update version in pyproject.toml
* Update pyproject.toml
* [Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
- Edited Rule Name, Description, and Investigation Guide to better align with the behavior captured by this rule
- adjusted execution window
- added highlighted fields
* adding account id to highlighted fields
adding account id to highlighted fields
* changing AWS EC2 tag for consistency across EC2 rules
changing AWS EC2 tag for consistency across EC2 rules
* [Rule Tuning][New Rule][Deprecation] AWS EC2 EBS Snapshot Activity Rules
1. Rule Tuning - to prevent duplicate alerts for AWS EC2 EBS Snapshot Shared of Made Public, the execution interval has been adjusted from 5m interval with 4m lookback to 5m interval with 1m lookback.
2. New Rule - to capture when access is removed from an EBS Snapshot. While this may be intentional behavior it could indicate malicious attempts to inhibit system recovery efforts post-compromise, or to maintain exclusive access to critical backups by removing permissions for all users except their own controlled account.
3. Deprecate - AWS EC2 Snapshot Activity is too broad a rule and the behavior of the other 2 rules resulting in duplicate alerts and non-specific context for which permission change type is happening (`add` vs `remove`).
* adding updated_date to new rule
* adding Deprecated to IG title
* adding source.address to keep fields
* [Tuning] AWS Access Token Used from Multiple Addresses
Rule tuning for AWS STS Temporary IAM Session Token Used from Multiple Addresses
* update min stack
* add access key identification to IG
add access key identification to IG
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* new rules for AWS DynamoDB data exfiltration
* bumping patch version
* adjusting investigation guide
* updating patch version
* updating patch version
* updating patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* new rule 'AWS SNS Topic Created by Rare User'
* changed file name
* Update rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml
* moved new terms link to investigation guide
* [Rule Tuning] AWS Monthly Rule Tunings
* Adding several more AWS tunings
* updating patch version
* updating non-ecs type to boolean
* fixed cloudtrail index
* new rule 'AWS EC2 Deprecated AMI Discovery'
* updated type
* updated non-ecs; bumped package version
* updated query
* added missing index
* updated patch version
* rule tuning Okta and AWS lookback times
* adjusted Query Registry using Built-in Tools
* adjusted My First Rule
* Update rules/cross-platform/guided_onboarding_sample_rule.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Isai