Resolves#5202Resolves#5203Resolves#5204
The gen_ai.policy.action field is an array, so an additional mv_expand
is necessary for the rules to work correctly with AWS Bedrock integration
events that contain multiple policy actions.
Updated rules:
- Unusual High Word Policy Blocks Detected
- Unusual High Denied Topic Blocks Detected
- Unusual High Denied Sensitive Information Policy Blocks Detected
- Unusual High Confidence Content Filter Blocks Detected
- AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* [Rule Tunings] AWS EC2 EBS Snapshot and Encryption Rules
AWS EC2 Encryption Disabled
rule performance is good, telemetry looks low as expected
- additional context to description to emphasize the security concern and purpose of the rule
- updated investigation guide
- added highlighted fields
- reduced execution window
AWS EC2 EBS Snapshot Access Removed
rule alerts as expected, telemetry volume is low as expected. however, this rule can be accomplished using EQL so I've changed the rule type
- changed rule type to eql
- added index
- updated IG
- added highlighted fields
note: I have to use `any` for the query since there is no `event.category` defined for `event.action: ModifySnapshotAttribute`
AWS EC2 EBS Snapshot Shared or Made Public
Converted to EQL. As an ESQL rule the primary benefit was being able to definitely exclude instances where a user adds their own account id when calling the ModifySnapshotAttribute instead of an external account id. This is a redundant action as the snapshot when created is automatically shared with the account it's created in. But this could be a false positive if it's done by mistake. Instead of keeping this as an ESQL rule, I still think there is more value to converting this to EQL for both customer alert context and telemetry. When looking at production data, I saw no instances where the owning account id was added in this way. Its a rare mistake that shouldn't happen often enough to support keeping this as an ESQL rule.
- converted to EQL
- added index
- updated IG
- updated description
- added highlighted fields
* adding event_category_override = "event.provider"
override event.category to event.provider to account for the use of "any" in EQL query
* normalizing IG title capitalization
normalizing IG title capitalization
* bumping severity to medium
since EC2 snapshot data can be sensitive, unauthorized sharing or access removal should be triaged
* updated event_category_override field
replaced event.provider with event.type to satisfy EQL library parsing requirements
#### AWS S3 Bucket Server Access Logging Disabled
Rule is triggering as expected with low telemetry
- removed `any` from EQL query by replacing event category field with `event.type` as this is mapped for the API action `PutBucketLogging`
- added `event.provider` as part of query
- updated Investigation guide
- Added highlighted fields
* [Rule Tuning] AWS S3 Bucket Expiration Lifecycle Configuration Added
AWS S3 Bucket Expiration Lifecycle Configuration Added
- changed rule type to EQL so as not to use the double wildcard
- used `event.type` as event category override field because `event.category` is not mapped for `PutBucketLifecycle` action
- removed unnecessary `*LifecycleConfiguration*` check from query, this field is required for any `PutBucketLifecycle` API call so unnecessary to include in the query.
- updated description and IG
- reduced execution window
- updated Mitre mapping
- removed incorrect setup notes
- added highlighted fields
* fixing Mitre mapping error
* adding IG disclaimer
* [New Rule][Deprecation] AWS EC2 Export Tasks Rules
**AWS EC2 VM Export Failure**
Starting Deprecation process for this rule. I cannot see the value in alerting on a failed VM export attempt. This is rare behavior in general but failed attempts don't warrant an alert especially considering we have no coverage for an actual successful VM Export. This rule has had no alerts in telemetry, I've seen no hits in prod data either. VM exports have a very specific use-case, they can be used to create VM image files that can be downloaded and used to run a VM locally. Successful exports warrant an alert.
**AWS EC2 Export Task**
This new rule is meant to fill the previously mentioned gap regarding successful VM exports. But also includes other forms of EC2 export tasks.
`CreateImageExportTask`
`ExportImage`
`CreateStoreImageTask`
* adding highlighted fields
adding highlighted fields
* Update rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
* Update rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
* [Rule Tuning] AWS EC2 Full Network Packet Capture Detected
**AWS EC2 Full Network Packet Capture Detected**
Alert telemetry is low in general however the alerts that do exist are unnecessarily duplicative in nature. When a traffic mirror session is created (CreateTrafficMirrorSession), it is typcially created alongside A filter and filter rules (CreateTrafficMirrorFilter, CreateTrafficMirrorFilterRule) which determines what traffic will be mirrored. There is also a traffic mirror target (CreateTrafficMirrorTarget), which is the destination for the mirrored traffic to go. The original scope of this rule included all of those APIs when really the only API needed here is `CreateTrafficMirrorSession`, which is the actual network mirroring behavior. The rest of those calls can be used as additional context during alert triage, but I've significantly reduced the scope of this rule to only capture the actual traffic mirroring behavior.
- reduced the query scope to `CreateTrafficMirrorSession` only
- reduced the execution window
- update description and investigation guide
- replaced API reference link
- added highlighted fields
* updating mitre technique
updating mitre technique
* updated Mitre mapping
adding network sniffing technique
* updating references to include relevant threat blog
updating references to include relevant threat blog
* adding EC2 tag
adding EC2 tag
* updating EC2 tagging
* [Rule Tuning] AWS S3 Object Versioning Suspended
AWS S3 Object Versioning Suspended
This rule is performing well in telemetry, no major query changes in terms of detection logic or rule type.
- to improve performance, changed event category field to `event.type` since `event.category` is not mapped for `PutBucketVersioning` event.action. This avoids use of `any` in query.
- added `event.provider == "s3.amazonaws.com"` to query
- added highlighted fields
- updated investigation guide
* removed some copy errors
This rule is triggering as expected. However, the threat this rule is meant to capture is a potential malicious .js file upload. Currently it is capturing both GetObject (read file) and PutObject (write file) API calls which is adding noise without adding much threat detection value.
- Removed `GetObject` API call from scope, so this rule focuses only on write activity. This reduced alert telemetry volume by ~73%
- added `event.outcome == success` criteria to exclude failed upload attempts
- corrected `Pulumi` typo in user agent exclusion criteria
- reduced execution window
- added highlighted fields
* [Rule Tuning][New Rule] AWS S3 Bucket Policy Added to Share with External Account/ to Allow Public Access
AWS S3 Bucket Policy Added to Share with External Account
Low telemetry volume overall, however false positives were seen for cloudfront identity and service accounts being given access to a bucket
- Reduced the scope of this rule to only analyze policy that include account ids or account ARNs (which include an account ID). This eliminates the false positives triggered by sharing buckets with a service account (i.e. cloudtrail.amazonaws.com)
- Excluded cloudfront identity, which should be treated the same way service accounts are being treated and be excluded as they do not include account IDs in their ARN
- This rule wasn't explicitly capturing the use of `Principal: *` which is a public sharing method, often accompanied by a Condition statement (i.e. aws.SourceAccount = OR aws.PrincipalAccount= OR ip.address = ....). The new query will capture Condition statements that include an account id. However there is still a gap for Policies that have explicit `Principal:*` with or without a condition, so another rule was created that will account for these scenarios.
- added highlighted fields
- updated investigation guide and description
- updated Mitre tactics and tags
- `event.type` used in place of `event.category` field
### AWS S3 Bucket Policy Added to Allow Public Access
Rule added to cover gap in public bucket policy added which includes an `Effect=Allow` and `Principal: *`. While an additional condition might be added to this policy which would exclude public access, cases where the condition is not included mean the bucket is publicly accessible. Both cases need to be verified, because even the condition could be giving access to an attacker owned account. There is also the chance that an `Effect=Deny` for `Principal:*` will trigger a false positive for this rule if the same policy also includes an `Effect=Allow` statement. We call this out in the description, false positive and investigation guide sections of the rule.
* [Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion
All 3 rules are showing extremely low telemetry volume as expected. No major changes needed to these queries.
- updated the descriptions, investigation guides and false positive sections
- reduced execution window
- added highlighted fields
* Revert "[Rule Tunings] AWS Group Creation, User Added to Group, Group Deletion"
This reverts commit c66a4f11e1c690a856b1c2f4cbb03077739629d7.
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
# Pull Request
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5189
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Tunes `Suspicious Entra ID OAuth User Impersonation Scope Detected (9563dace-5822-11f0-b1d3-f661ea17fbcd)` rule to reduce FPs. Please see related issue for more information.
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
Query can be used in TRADE stack. TeamFiltration testing and matches occurred in July 2025.
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5185
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Adds a specific detection rule for admin confirmed compromise by Entra ID protection. Relates to BBR rule `Microsoft Entra ID Protection - Risk Detections`. Please see related issue for more details.
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
Query can be used in TRADE serverless stack.
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
* [Rule Tuning] AWS User Created Access Key For Another User
Telemetry looks good for this rule, no way to change this from ESQL as we need to be able to compare fields.
- added event.dataset to query
- added source.ip, cloud.account.id, event.dataset, aws.cloudtrail.user_identity.access_key_id, and source.geo.* fields to `keep`
- added to highlighted fields
- updated IG
* toml-lint
* [Rule Tuning][New BBR Rule] AWS Sign-In Token Creation and Console Login
### Tuning - "AWS Signin Single Factor Console Login with Federated User"
Rule scope change and name change to match
- This original rule description suggests that it was designed to capture console login sessions by a Federated User without the use of MFA. However, AWS does not capture MFA usage for Federated Users (only for Root and IAM users). Federated identities will often use 3rd party IDP apps like Okta to enforce MFA, that data is not captured in Cloudtrail. So, the fields `MFAUsed` of `mfaAuthenticated` will always show as False/No in Cloudtrail.
- I changed the scope of this rule to simply capture Console Login by a Federated User. For security reasons this behavior should be correlated with 3rd party IDP data to ensure MFA was established by the identity requesting the Federated Console login. This is very low noise behavior both in telemetry and prod data.
- added highlighted fields
- edited investigation guide to align with scope change
### New BBR
- `GetSigninToken` exchanges existing temporary AWS credentials (e.g., from STS GetFederationToken or AssumeRole) for a short-lived sign-in token that is embedded in a one-click URL to the AWS Management Console.
- ConsoleLogin API often follows a `GetSignInToken` request in normal operations. However, suspicious circumstances like both requests coming from different IPs or geo locations might indicate some form of compromise and should be investigated.
- This BBR rule is created to capture all successful `GetSigninToken` requests for any identity type. It can be used for further correlation with other rules or as an investigative/hunting rule during alert triage.
* adding FederatedUser to query
adding FederatedUser to query
* changed ig title to match rule name
changed ig title to match rule name
* toml-lint
* [Rule Tunings] AWS IAM Administrator Access Policy Attached to Group/Role/User
All 3 rules triggering as expected, low telemetry volume. However, the same rule logic can be applied via EQL so I've changed the rule types for all 3 from ESQL to EQL. To provide better telemetry and alert context for users.
- changed rule type to EQL
- updated all IGs
- added highlighted fields
- added index
* removed double note key
removed double note key
* adding iam event.category
* removed file beat compatibility missing category for AttachRolePolicy
filebeat does not have category mapping for AttachRolePolicy event
* toml-lint
* [New Rule] Azure Storage Blob Retrieval via AzCopy with SAS Token
# Pull Request
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5178
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Adds detection capabilities for Azure Storage Blob retrieval via AzCopy with SAS tokens. Related to behavior observed by Storm-0501. Please see related issue for more details.
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
Query can be used in TRADE stack.
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
* updating non-ecs
* Update rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml
* Update rules/integrations/azure/exfiltration_azure_storage_blob_download_azcopy_sas_token.toml
* [Rule Tuning][Deprecation] AWS Root Console Login Rules
Deprecate - AWS Root Login Without MFA
- Starting deprecation process for this rule. While root login without MFA should certainly be investigated, this rule overlaps with the broader AWS Successful Root Console login rule. Between the 2, the broader rule should remain since all succesful Root console login events should be investigated. Part of the investigation can include determining if MFA was or was not enabled.
Tuning - AWS Management Console Root Login
No major rule changes needed, telemetry is low as expected for this rule
- reduced execution window
- updated investigation guide
- adjusted tags
- added highlighted fields
- added Mitre subtechnique
Tuning - AWS Management Console Brute Force of Root User Identity
No major rule changes needed, telemetry is low as expected for this rule
- reduced execution window
- updated investigation guide
- adjusted tags
- added highlighted field (the only one available for threshold rule is the threshold field)
* adding AWS Sign-In tag
adding AWS Sign-In tag
* [Rule Tunings] AWS Root Password Recovery and Login Profile Created
AWS IAM Password Recovery Requested > AWS Sign-In Root Password Recovery Requested
- Name change to properly indicate the service Sign-In vs IAM which is used for this API call. Also highlights that this is `Root` activity. In AWS, the PasswordRecoveryRequested event from signin.amazonaws.com applies to the root user’s “Forgot your password?” flow. Other identity types, like IAM and federated users, do not generate this event.
- reduced execution window
- updated Investigation Guide
- updated tag
- added highlighted fields
AWS IAM Login Profile Added for Root
- changed rule type from esql to eql
- added index
- reduced execution window
- updated description and investigation guide to clarify emphasis on Root identity scope
- added highlighted fields
* increased severity score
increased severity score since this is related to root
* Update broken link
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* [Rule Tuning] AWS S3 Bucket Enumeration or Brute Force
- changed to threshold rule to improve context
- groups alerts by unique combination of `tls.client.server_name`(bucket name), `source.address` (can be either an ip or an internal AWS service address like ), and `aws.cloudtrail.user_identity.type` (this is to prevent capturing double events produced when a user Assumes a role inside another AWS account. This results in the same request being created twice, once as both AssumedRole and AWSAccount identity types)
- uses `event.id` as the cardinality field and counts >= 40
- checks that`tls.client.server_name` exists in the query, this is to prevent capturing denied internal AWS actions that may occur against no particular bucket but against the S3 service itself
- adds highlighted fields
- replaces mitre technique
- replaces more detailed investigation guide including specific details around investigating Threshold rule types via timeline
* kuery language update
* removing extra space
* adding integration
* removing filebeat because of tls.client.server_name
removing filebeat because of tls.client.server_name
* update IG references
updated the references listed in the IG
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
- changed rule from esql to new_terms. While details are limited in telemetry, the noise is evident. We've also gotten complaints about the noise from our own infosec team, prompting this tuning. Changes to a new terms rule will reduce noise by over 90% when tested against prod data.
- This originally only triggered for role chaining within a single AWS account, so excluded common cross-account role assumption. However, I am unable to apply a filter for that with KQL but the benefits to creating new-terms rule outweigh the benefits of keeping that exclusion with esql.
- looks for unique combination of `aws.cloudtrail.user_identity.session_context.session_issuer.arn` (originating role) and `aws.cloudtrail.resources.arn`(target role). Because the only identity type we are concerned with here are `AssumedRole` types, we don't have the same new_terms field limitations as with other rules that also must consider `IAMUser` types. So these fields will suffice.
- added highlighted fields
- added index pattern. rule is compatible with filebeat
- updated the investigation guide and description and description
Note: I may consider creating a broader BBR rule, with the same criteria just not new terms, as a way of capturing all instances of role chaining for investigative purposes
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* [Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded
- changed this from ESQL to EQL. While initially were only able to isolate uploaded file names using the `aws.cloudtrail.request_parameters` field, we now can use the target.entity.id field to isolate the uploaded file arn. I've adjusted the regex pattern to distinguish between the bucket name and the file uploaded, both of which are included in the target.entity.id field.
- I chose eql instead of esql to 1. provide more meaningful alert context to the user and 2. allow for easier exclusions for the user. Right now these alerts aren't generating much meaningful context.
- edits to description
- new investigation guide using specific AWS IR Ransomware Playbooks as additional context
- additional MITRE technique
* added highlighted fields
added highlighted fields
* fixed MITRE reference
* added cloudtrail index mapping
* Update rules/integrations/aws/impact_s3_bucket_object_uploaded_with_ransom_extension.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* using aws.cloudtrail.resources.arn instead of target.entity.id
using aws.cloudtrail.resources.arn instead of target.entity.id
* Apply suggestions from code review
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* [New Rule] Azure RBAC Built-In Administrator Roles Assigned
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
# Pull Request
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5108
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Adds a new rule for detecting `Azure RBAC Built-In Administrator Roles Assigned` from Azure Activity Logs. Please se issue for more details.
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
Query can be used in TRADE serverless stack.
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
* fixed query logic
* fixed query logc
* fixed query logic
* adding field to non-ecs
* updated UUID
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
# Pull Request
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5138
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Adds a missing detection for Azure storage account updates that enabled Blob Storage public access. **Please see the related issue for more details.**
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
Query can be used in TRADE stack for example data.
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
# Pull Request
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5183
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Tunes the `Azure Entra ID Rare App ID for Principal Authentication` rule to ignore specific first-party client IDs that generate FPs regarding this rule.
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
Query can be used in TRADE or telemetry stack.
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
* [Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
# Pull Request
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5154
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Adjusts Azure / M365 rules regarding lookback windows, interval and index scopes. Please see related issue for more details.
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
* fixing timestamps
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* Update rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* update dates
* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml
* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* [Rule Tuning] Update Azure / M365 Mappings
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
# Pull Request
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5152
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Updates all mappings for Azure / M365 rules for accuracy and missing mappings.
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
* reverting changes to unit test
* changed webhook rule back to persistence
* Update rules/integrations/azure/persistence_azure_automation_webhook_created.toml
* updated date
* updating date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* updating Azure AD Global Administrator Role Assigned
* removed logic changes as it only effects outside of PIM. Adding a different rule for these
* slight change to query
* tuning severity
* Update rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Update rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
* Update rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
# Pull Request
*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5140
<!--
Add Related Issues / PRs for context. Eg:
Related to elastic/repo#999
Resolves#123
If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->
## Summary - What I changed
Adds missing detection coverage for retrieving Azure Storage Account keys by a user with highly-privileged roles. Please see the related issue for more details.
<!--
Summarize your PR. Animated gifs are 💯. Code snippets are ⚡️. Examples & screenshots are 🔥
-->
## How To Test
Query can be used in TRADE stack for telemetry visbility.
<!--
Some examples of what you could include here are:
* Links to GitHub action results for CI test improvements
* Sample data before/after screenshots (or short videos showing how something works)
* Copy/pasted commands and output from the testing you did in your local terminal window
* If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
* Query used in your stack to verify the change
-->
## Checklist
<!-- Delete any items that are not applicable to this PR. -->
- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
* updating Azure AD Global Administrator Role Assigned
* removed logic changes as it only effects outside of PIM. Adding a different rule for these
* slight change to query
* tuning rule Microsoft Entra ID Elevated Access to User Access Administrator
* revert changes
* Added operation name to query logic
* [Tuning] AWS Access Token Used from Multiple Addresses
Tuning was triggered by a community member
- fixes wildcard and `Pulumi` typos to exclude common IaC tools
- adds exclusion for ``source.as.organization.name` == "AMAZON-02" and aws.cloudtrail.event_category == "Data"` to exclude the noisy multi-IP traffic coming from Amazon-02 networks performing high-throughput data-plane operations. I didn't exclude this network completely because this network can also indicate user-triggered events that are worth keeping in the alert.
- added additional high noise service providers that may be more indicative of console browsing
- added a field for pairing source.ip & network
- added highlighted fields
* Update rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml
* Update rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml
AWS SNS is a pub/sub style service where users can subscribe to a topic and receive messages published to that topic. Below is a screenshot of the different protocols a user could subscribe with and the various endpoints that could be associated with those protocols.
AWS SNS Email Subscription by Rare User --> AWS SNS Rare Protocol Subscription by User (not a new rule)
- changed the scope of the rule to capture the first time a user/role subscribes to a topic via a particular protocol (ie. email, http, lambda, mobile). Subscribing to an SNS topic via email is a rather normal behavior and it would be normal for each user to subscribe this way "for the first time" making this rule not as valuable as it was intended to be.
- reduced execution window
- added real-world threat references
- added additional MITRE technique and Impact tag
- small edits to IG and Description
- edited highlighted fields
AWS SNS Topic Message Publish by Rare User
- added AWS to name for consistency
-changed new terms fields to use a combination of cloud.account.id and user.name against the topic itself `aws.cloudtrail.resources.arn`. So that instead of simply evaluating the first time a user/role publishes a message to ANY topic, this rule now looks for the first time a user/role publishes a message to a particular topic. We want to make this distinction to capture the case where an identity responsible for publishing to a particular topic A suddenly starts publishing to another topic B, which indicates behavior that should be verified.
- reduced new terms window
- added setup notes as Data events are necessary for capturing the `Publish` API call
- reduced execution window
- added real-world threat references
- added additional MITRE technique and Impact tag
- small edits to IG and Description
- edited highlighted fields
AWS SNS Topic Created by Rare User
- removed the `AssumedRole` and `*-i*` parameters from the query as this narrowed the query to only alert on behavior from EC2 instance roles. We ideally want to evaluate this behavior for all users and roles.
- reduced execution window
- added real-world threat references
- added additional MITRE technique and Impact tag
- small edits to IG and Description
- edited highlighted fields
* [Rule Tuning] AWS S3 Unauthenticated Bucket Access by Rare Source
No query changes as this rule is alerting as expected, however I did change the new terms field to be a combination of an IP address and a particular bucket name. Rather than just alerting for the IP address itself. Perhaps an IP is seen retrieving a doc from a public bucket in the environment (expected behavior) but then it also accesses a file in a bucket meant to be private (unexpected behavior). With new terms only on the IP address we would miss the private bucket access.
- added `tls.client.server_name` to new terms field (bucket name)
- reduced execution window
- removed duplicate IG
- added setup note for turning on data events
- small edits to description and highlighted fields
* Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml
* Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml
* Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml
* Update collection_s3_unauthenticated_bucket_access_by_rare_source.toml
* [Rule Tunings] AWS DynamoDB new terms Rules
### AWS DynamoDB Scan by Unusual User
- changed new terms field to use cloud.account.id and user.name combination to account for roles and users
- reduced execution window
- reduced history window
- small edits to description, IG and highlighted fields
### AWS DynamoDB Table Exported to S3
- removed inaccurate setup notes
- reduced history window
- small edits to description and highlighted fields
* Apply suggestions from code review
This rule is performing as expected and low noise in telemetry so no changes to query
- added investigation fields
- small edits to description and IG
- added a reference from Unit42 showing real world threat case
- reduced execution window
* [Rule Tuning] SSM Session Started to EC2 Instance
Role/role session noise seen in telemetry due to new fields term using `aws.cloudtrail.user_identity.arn`, which is unique for each role session and does not isolate the role itself.
- new fields term change to `cloud.account.id` and `user.name` combination to account for both IAMUsers and Roles across multiple accounts.
- added AWS to the rule name
- reduced execution window
- small edits to description and IG
- added reference from IG to Reference section
* adding highlighted fields
* added EC2 tag
* Update lateral_movement_aws_ssm_start_session_to_ec2_instance.toml
* Apply suggestions from code review
* [Rule Tunings] AWS Route Table Created / AWS EC2 Route Table Modified or Deleted
AWS Route Table Created
- turned this into a new_terms rule to reduce noise and be more indicative of potential malicious behavior. Used `cloud.account.id`, `user.name` combination to account for both roles and users doing this behavior for the first time.
- changed execution interval
- changed the name to add EC2
- slight adjustments to IG and description
- fixed tagging error
- added investigation fields
AWS EC2 Route Table Modified or Deleted
- replaced new terms field to `cloud.account.id`, `user.name` combination to account for both roles and users doing this behavior for the first time.
- removed the exclusions from this rule. These exclusions, while meant to reduce noise caused by automation tools, actually just provide an easy bypass. A user can simply use CloudFormation to perform the exact same behaviors and avoid detection. I've shown this in the screenshot below, I ran a nearly identical script, one with and one without using CloudFormation. While `source.address` is `cloudformation.amazonaws.com` the behavior was still performed by an IAMUser and should still be evaluated. The fact that this is a new terms rule will reduce the risk of noise due to automation using these tools.
- changed execution interval
- slight adjustments to IG and description
- added investigation fields
* Update persistence_route_table_created.toml
* Update rules/integrations/aws/persistence_ec2_route_table_modified_or_deleted.toml
- query change : I chose to replace `aws.cloudtrail.user_identity.arn` with `user.id` and a more accurate wildcard pattern. This will reduce the chances of this rule triggering for role sessions outside of those started by EC2 instances. The wildcard pattern looks for a role session name that starts with `i-` this is because when an EC2 instance operates using it's attached Role (instance profile), the session name attached to that role name is the instance id (`i-......`). The `user.id` field appends this session name to the role name via a standard pattern `:[session_name]`, making it a more reliable field to use in this case.
- small edits to description and IG
- reduced execution window
- reduced history window
- edited highlighted fields
Note: the new_terms field here remains `aws.cloudtrail.user_identity.arn` because we are only interested in assumed roles, and even more particular, only those used by an EC2 instance. This means we want to evaluate each individual instance's behavior rather than the broader behavior of the role itself. The arn field will capture each instance id (session name) alongside the role itself.
Mika Ayenson, PhD