62982f9d8c
[New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User ( #3910 )
...
* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User
* increased severity score
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-08-01 00:30:02 -04:00
f2eb78219c
[New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time ( #3923 )
...
* [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time
* Update discovery_new_terms_sts_getcalleridentity.toml
* Update execution_new_terms_ec2_instance_cloudformation_createstack.toml
* Update rules/integrations/aws/execution_new_terms_ec2_instance_cloudformation_createstack.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* rule name change, removed ec2
* Update rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-07-31 16:55:49 -04:00
1b58d0640b
[New Rule] AWS EC2 Instance Console Login via Assumed Role ( #3922 )
...
* [New Rule] AWS EC2 Instance Console Login via Assumed Role
* added reference for custom url creation
* added STS tag
* added event.provider to query
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-31 15:52:59 -04:00
a28af59d02
[New Rule] AWS EC2 Instance Interaction with IAM Service ( #3920 )
...
* [New Rule] AWS EC2 Instance Interaction with IAM Service
* Update rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-31 15:44:02 -04:00
f3b0dc1954
Prep for next release 8.16 ( #3919 )
2024-07-24 11:19:56 -04:00
baee89de9b
Revert "Prep for next release 8.16 ( #3914 )"
...
This reverts commit 4245a815d2
2024-07-23 14:06:04 -04:00
4245a815d2
Prep for next release 8.16 ( #3914 )
...
* Prep for Release 8.16
* Add subscription
* Remove double subscription
* Formatting
* Formatting
* Revert Beaconing rules minstack and lock version
2024-07-23 13:04:03 -04:00
03c99d22d3
Revert "Prep for Release 8.16 ( #3913 )"
...
This reverts commit 01135085f6
2024-07-23 09:50:04 -05:00
01135085f6
Prep for Release 8.16 ( #3913 )
2024-07-23 09:42:26 -05:00
322162f097
[New Rule] AWS S3 Bucket Replicated to Another Account ( #3895 )
2024-07-18 22:52:39 -04:00
e9cb2228e6
[New Rule] AWS S3 Object Versioning Suspended ( #3894 )
...
* [New Rule] AWS S3 Object Versioning Suspended
* description spacing changes
* update description
2024-07-18 22:14:46 -04:00
80f85cff4d
[New Rule] AWS S3 Bucket Server Access Logging Disabled ( #3892 )
...
* [New Rule] AWS S3 Bucket Server Access Logging Disabled
* changed severity from low to medium
2024-07-18 18:28:19 -04:00
44658ea5f6
[Rule Tunings] Change from to prevent double alerts ( #3868 )
2024-07-11 13:02:10 -04:00
f0ab897f99
[Rule Tunings] AWS Administrator Access Policy Attached Rules ( #3867 )
...
* [Tuning] AWS Administrator Access Policy Attached Rules
* change lookback to prevent overlap
* changed from to now-6m
2024-07-11 12:49:03 -04:00
80ac2794f2
[Rule BugFix] Google Workspace Oauth2 new app ( #3436 )
...
* [Rule BugFix] Google Workspace Oauth2 new app
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
* [Rule BugFix] Google Workspace Oauth2 new app update (#3436 )
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-11 10:45:17 -04:00
21485b16fa
[Tuning & Changes] Misc rule/hunt tuning ( #3875 )
...
* [Tuning & Changes] Misc rule/hunt tuning
* Bump update_date
* ++
* Updated docs
2024-07-11 14:55:33 +02:00
7f3c977192
[Rule Tuning] Tune Attempts to Brute Force a Microsoft 365 User Account ( #3860 )
...
* tuning 'Attempts to Brute Force a Microsoft 365 User Account'
* added reference
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-08 13:07:44 -04:00
215d5a0861
[New Rule] AWS S3 Object Encryption Using External KMS Key ( #3861 )
...
* [New Rule] AWS S3 Object Encryption Using External KMS Key
Identifies encryption events for S3 bucket objects using an AWS KMS key from an external account. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.
* Update impact_s3_object_encryption_with_external_key.toml
* Update impact_s3_object_encryption_with_external_key.toml
* missing coma after tag
* missing backslash on technique reference
2024-07-05 12:25:55 -04:00
cd716e5248
[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId ( #3685 )
...
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-05 05:46:40 +01:00
83be212632
[New Rule] AWS RDS DB Instance Made Public ( #3836 )
...
* [New Rule] AWS RDS DB Instance Made Public
...
* Apply suggestions from code review
* added coverage for instances created with public access
* rule review edits
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-03 01:01:52 -04:00
3a5c5c20a8
[New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled ( #3851 )
...
* [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Removed
...
* insert rule_id
* rule name change
2024-07-02 17:22:03 -04:00
9f4956f542
[New Rule] AWS RDS DB Instance or Cluster Password Modified ( #3844 )
...
* [New Rule] AWS RDS DB Instance or Cluster Password Modified
..
* Update rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-02 16:14:51 -04:00
43fbf94d8a
[New Rule] AWS RDS Snapshot Shared with Another Account ( #3831 )
...
* [New Rule] AWS RDS DB Snapshot Shared with Another Account
...
* Update exfiltration_rds_snapshot_shared_with_another_account.toml
* edit threat matrix format
* Apply suggestions from code review
* Update rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-07-02 15:36:44 -04:00
aaf014390b
[New Rule] AWS RDS Snapshot Deleted ( #3852 )
...
* [New Rule] AWS RDS Snapshot Deleted
* added coverage for backupRetentionPeriod set to 0
2024-07-02 14:01:15 -04:00
d59d462956
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded ( #3854 )
...
* tuning 'Potential AWS S3 Bucket Ransomware Note Uploaded'
* adding filter to ignore common AWS object path strings
2024-07-02 13:02:52 -04:00
5fe7833312
[Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction ( #3849 )
...
* tuning google workspace rules
* removed verbiage about runtime
2024-07-01 15:50:12 -04:00
99a4d629c9
[New Rule] Entra ID Device Code Auth with Broker Client ( #3819 )
...
* new rule 'Entra ID Device Code Auth with Broker Client'
* updated azure integration, non-ecs updated, rule date updated
* updates tags
* updated query to add Azure activity logs
* merging in main
* updated azure manifest and schemas
* updated azure manifest and schemas
* updated index map for summary and changelog
* removed string imports
* reverting packaging.py updates
* adjusted query
* adjusted query to be more optimized
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-07-01 10:31:26 -04:00
f62644887e
[Rule Tuning] AWS RDS Snapshot Restored ( #3809 )
...
* [Tuning] AWS RDS Instance Restored
-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added
* Update defense_evasion_rds_instance_restored.toml
* Update defense_evasion_rds_instance_restored.toml
* removed investigation guide place holder
* deprecated old rule because of name change
* change rule_id
* Revert "change rule_id"
This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.
* Revert "deprecated old rule because of name change"
This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.
2024-06-28 20:42:36 -04:00
2e3aca62f0
[Rule Tuning] Multiple Device Token Hashes for Single Okta Session ( #3814 )
...
* tuning 'Multiple Device Token Hashes for Single Okta Session'
* adjusted file name
* updated tags
* updated file name extension
* updated min-stack comments
2024-06-28 12:59:24 -04:00
2708a89f20
[New Rule] AWS IAM User Created Access Keys for Another User ( #3788 )
...
* [New Rule] AWS IAM User Created Access Keys for Another User
...
* updated min_stack and removed index field
* reversed tactic order
* added AWS documentation as reference
* Apply suggestions from code review
updated_date, query format change, removed keep from query
2024-06-25 00:11:48 -04:00
da8f3e4880
[New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor ( #3797 )
...
* adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash'
* adding new rule 'Multiple Okta User Authentication Events with Client Address'
* updating UUIDs
* removed indexes
* adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication'
* added okta outcome reason 'INVALID_CREDENTIALS' to queries
* updated risk score
* made all rules low risk score
* added user session start to rule
* updated min-stack comments
2024-06-21 13:11:23 -04:00
11aab028dc
[Rule Tuning] Okta User Sessions Started from Different Geolocations ( #3799 )
...
* tuning 'Okta User Sessions Started from Different Geolocations'
* TOML linting
* updated min-stack comments
* added setup
* Removed some blank spaces
2024-06-20 16:52:26 -04:00
51b9717ac0
Adding setup templates to the ML rules ( #3798 )
...
* Added setup instructions for ml rules
2024-06-19 10:04:41 -04:00
c1dcd21531
Closes #2216 ( #2855 )
...
* Update privilege_escalation_sts_assumerole_usage.toml
* Update privilege_escalation_sts_assumerole_usage.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-06-13 16:52:54 -04:00
89d89f15d2
Update FIM integration Setup sequence ( #3781 )
2024-06-12 16:40:45 +05:30
8baf5dc2d8
Add exceptions to C2 Beaconing Activity ( #3771 )
2024-06-11 18:43:46 +05:30
ec223a4a05
[New Rule] Suspicious File Modification ( #3746 )
...
* [New Rule] Suspicious File Modification
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Updates
* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-11 13:03:20 +02:00
62eea772d0
[New Rule] AWS S3 Bucket Ransom Note Uploaded ( #3604 )
...
* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement'
* fixed technique mapping
* added investigation guide; added more ransom note extensions
* adjusted lookback and maxspan
* added API call to second sequence
* updating date
* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* changed rule to ESQL; updated investigation guide
* changed file name
* removed txt, ecc, and note
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-10 10:47:20 -04:00
e1cbf9f684
[New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) ( #3735 )
...
* [New Rule] AWS IAM AdministratorAccess Policy Attached to User
issue...
* add source.address and source.geo.location
* fix threat tactic ids
* AdministratorAccess Policy Attached to Group
* AdminstratoAccess Policy Attached to Role
* reduce severity to medium
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-07 18:31:06 -04:00
9f67585332
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded ( #3634 )
...
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* changed tactic to privilege escalation
* added additional reference
* added investigation guide
* updated summary
* changed risk score to medium; adjusted tags
* fixed mitre mapping
* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-05 10:33:42 -04:00
05ac4e1bd3
[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag ( #3590 )
...
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'
* updated rule contents
* added investigation guide; changed new terms to uder.id
* adjusted time window
* adjusted rule name
* updated query, adjusted new terms value
2024-06-05 10:22:38 -04:00
c77eb1d915
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created ( #3609 )
...
* new rule 'AWS IAM Roles Anywhere Role Creation'
* adjusted rule to focus on Roles Anywhere profile creation
* added rule for roles anywhere trusted anchor; updated rule file naming
* added investigation guide
* added investigation guide
* adjusted rule and file name
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-05 10:10:53 -04:00
e357a2c050
Refresh MITRE Attack v15.1.0 ( #3725 )
2024-06-04 20:14:58 +05:30
59b7e3bde4
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager ( #3589 )
...
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'
* updated user identity arn to user.id for cross-service password retrieval
* added investigation guides; bumped dates; adjusted threshold value
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-04 09:20:04 -04:00
0885032b2c
[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation ( #3632 )
...
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'
* updated rule UUID
* added investigation guide
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-03 11:42:38 -04:00
856c6c5a1f
[New Rule] AWS EC2 EBS Snapshot Shared with Another Account ( #3601 )
...
* new rule 'AWS EC2 EBS Snapshot Shared with Another Account'
* added investigation guide
* updated rule name
* converted to ES|QL
* reverting non-ecs update
2024-06-02 10:30:08 -04:00
70469b4cdb
[New Rule] AWS Lambda Layer Added to Existing Function ( #3631 )
...
* new rule 'AWS Lambda Layer Added to Existing Function'
* updated query logic; added investigation note
2024-06-02 08:41:04 -04:00
7c82e75cf4
[New Rule] AWS S3 Bucket Policy Added to Share with External Account ( #3603 )
...
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'
* added investigation guide
* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
2024-06-01 10:31:41 -04:00
23ce41d8af
[New Rule] AWS GetCallerIdentity API Called for the First Time ( #3711 )
...
* [New Rule] AWS GetCallerIdentity API Called for the First Time
issue
* Apply suggestions from code review
name change, false positive additions, remove Setup, change new_terms window from 15d to 10d
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
fixed missing closing quotes
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-31 17:55:06 -04:00
418a95205e
Remove unwanted backticks ( #3724 )
2024-05-31 21:46:24 +05:30
Isai