security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,648 Commits 1 Branch 0 Tags
8dfa5da3bf41eec3acec83beb6ee15498cd6fbb3
Commit Graph

342 Commits

Author SHA1 Message Date
Mika Ayenson, PhD 49c361dd98 [New Rules] Azure OpenAI (#3701) 
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2025-03-04 22:59:38 +05:30
Terrance DeJesus 4b7aa67213 [New Rule] Adding Coverage for M365 OneDrive Excessive File Downloads with OAuth Token (#4469) 
* new rule 'M365 OneDrive Excessive File Downloads with OAuth Token'

* removed Azure data source tag; added saas tag

* removed Azure data source tag; added saas tag

* updated mitre mappings

* added tactic:collection tag

* removed file directory, added targeted_time_window to aggregation
 2025-02-21 10:45:04 -05:00
Terrance DeJesus 0b98462cfe [New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection (#4458) 
* new hunting queries for SNS

* added KEEP to all queries; adjusted description in SNS rule
 2025-02-20 10:53:36 -05:00
Terrance DeJesus ec4523a6a9 [Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol (#4466) 
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'

* bumping patch version

* fixed investigation guide unit test failure

* bump patch
 2025-02-20 10:29:04 -05:00
Terrance DeJesus 17ea9fbdd5 [New Rule] Adding Coverage for AWS SNS Topic Created by Rare User (#4455) 
* new rule 'AWS SNS Topic Created by Rare User'

* changed file name

* Update rules/integrations/aws/resource_development_sns_topic_created_by_rare_user.toml

* moved new terms link to investigation guide
 2025-02-20 10:05:40 -05:00
shashank-elastic 692a1382bf Fix spacing in Setup information (#4470) 2025-02-20 10:04:13 +05:30
Jonhnathan 5155f47b86 [Rule Tuning] Event Aggregation - Fix event.action & event.type conditions (#4445) 
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions

* .

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2025-02-07 18:42:28 -03:00
Mika Ayenson c7f5385711 [Rule Tuning] Decrease Interval to 1m for Endpoint Promotions (#4450) 2025-02-07 08:30:35 -06:00
shashank-elastic a866ee7f57 Fix remaining Replace master doc URLs with current (#4441) 2025-02-03 23:03:20 +05:30
shashank-elastic 818467f132 Replace master doc URLs with current (#4439) 2025-02-03 21:27:50 +05:30
Terrance DeJesus bf1caf8b5f [Rule Tuning] December-January AWS Rule Tuning (#4425) 
* [Rule Tuning] AWS Monthly Rule Tunings

* Adding several more AWS tunings

* updating patch version

* updating non-ecs type to boolean

* fixed cloudtrail index
 2025-01-31 10:35:18 -05:00
Mika Ayenson 7c6c77932c [FR] Add Remaining Guides (#4412) 2025-01-22 14:43:30 -06:00
Mika Ayenson fe8c81d762 [FR] Generate investigation guides (#4358) 2025-01-22 11:17:38 -06:00
Terrance DeJesus fb13b89f8d [New Rule] Adding Coverage for AWS S3 Unauthenticated Bucket Access by Rare Source (#4315) 
* adding new rule 'AWS S3 Unauthenticated Object Retrieval by Rare Source'

* adjusted logic to capture multiple event calls

* updated verbiage

* updated MITRE mappings

* fixing date
 2025-01-20 13:36:09 -05:00
Terrance DeJesus 7be96ec64d [Rule Tuning] Add Public Snapshot Coverage Regarding AWS EC2 EBS Snapshot Shared or Made Public (#4335) 
* removing detection gap for EBS snapshots that are made public

* reverted logic; added investigation note about public snapshots
 2025-01-20 13:15:41 -05:00
Ruben Groenewoud 01eda44298 [Rule Tuning] Linux Persistence Rules (#4393) 
* [Rule Tuning] Linux Persistence Rules

* Update persistence_suspicious_file_modifications.toml

* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
 2025-01-20 09:51:49 +01:00
Terrance DeJesus ca3994af0d [Deprecation] Deprecating Potential Password Spraying of Microsoft 365 User Accounts (#4394) 
* Deprecating 'Potential Password Spraying of Microsoft 365 User Accounts'

* adding 'Deprecated - Suspicious JAVA Child Process'

* updated dates

* changed to deprecated maturity
 2025-01-17 10:52:13 -05:00
Terrance DeJesus 5162067a51 [New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C (#4377) 
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'

* updated pyproject patch version

* bump repo version

* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml

* updating patch version

* updating patch version

* Adding additional threshold rule
 2025-01-15 14:11:58 -05:00
Terrance DeJesus c04ae6d444 [New Rule] Adding Coverage for SNS Topic Message Publish by Rare User (#4350) 
* new rule 'SNS Topic Message Publish by Rare User'

* added new terms note

* added investigation guide tag

* fixed tag, added investigation fiedls

* toml lint

* fixed mitre ATT&CK mapping
 2025-01-15 13:55:45 -05:00
Terrance DeJesus 97b3f43870 [New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery (#4328) 
* new rule 'AWS EC2 Deprecated AMI Discovery'

* updated type

* updated non-ecs; bumped package version

* updated query

* added missing index

* updated patch version
 2025-01-15 11:53:18 -05:00
Terrance DeJesus f8312cc5b0 [Rule Tuning] Adjusting Verbiage for AWS EC2 Instance Connect SSH Public Key Uploaded (#4334) 
* tuning rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'

* updating subtechnique ID

* added mitre tag lateral movement

* changing sequence of mitre ATT&CK
 2025-01-15 11:12:53 -05:00
Terrance DeJesus f97007f3a8 [New Rule] Adding Coverage for AWS SQS Queue Purge (#4354) 
* new rule 'AWS SQS Queue Purge'

* Update rules/integrations/aws/defense_evastion_sqs_purge_queue.toml

* added investigation guide tag; fixed file name
 2025-01-15 10:52:22 -05:00
James Valente f52cfb3729 [Rule: Tuning] - Azure blob permission modification tagging - Correct tags (#4371) 
* Remove `Data Source: Elastic Defend` tag

* Update metadata

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2025-01-13 10:40:34 -03:00
Ruben Groenewoud 466097c31e [Rule Tuning] Potential Persistence via File Modification (#4310) 
* [Rule Tuning] Potential Persistence via File Modification

* Update persistence_suspicious_file_modifications.toml

* Update persistence_suspicious_file_modifications.toml
 2025-01-03 16:19:58 +01:00
Terrance DeJesus 9fb2dea7aa [New Rule] Endpoint Security Promotion Rules for Specific Events (#3533) 
* new endpoint security rules for specific alerts

* updated risk scores

* fixed rule names and UUIDs

* changed logic to use message field for detection vs prevention

* reverting changes

* reverting changes

* reverting to old commit

* reverting to old commit

* reverting to old commit

* reverting to old commit

* changed naming to Elastic Defend

* updated rule dates and min-stacks

* linted; adjusted queries

* updated ransomware, memory sig or shellcode risk

* Update rules/integrations/endpoint/elastic_endpoint_security.toml

* updated promotion rule

* fixed typos in naming

* updated setup guides

* added intervals

* added MITRE

* added investigation guide for Memory Threat

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* ++

* ++

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml

* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml

* ++

* ++

* ++

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update defense_evasion_elastic_memory_threat_prevented.toml

* toml-lint

* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* ++

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co>
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-12-19 13:24:23 -05:00
Terrance DeJesus dad008ea34 [Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules (#4324) 
* rule tuning Okta and AWS lookback times

* adjusted Query Registry using Built-in Tools

* adjusted My First Rule

* Update rules/cross-platform/guided_onboarding_sample_rule.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-12-19 13:03:50 -05:00
Terrance DeJesus 0a740074c9 new rule 'Azure Entra MFA TOTP Brute Force Attempts' (#4297) 2024-12-12 11:00:02 -05:00
Terrance DeJesus e6012b1db6 Removing ESQL query format error (#4292) 2024-12-10 09:27:37 -05:00
Terrance DeJesus 052672b09f [Rule Tuning] Update Okta and Github Min-Stack Versions for Release (#4290) 2024-12-09 20:58:33 +05:30
Terrance DeJesus e7b88ae3fc [New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS (#4277) 
* new rule 'AWS IAM Login Profile Added for Root'

* added min-stack

* linted; fixed rule schema errors

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-12-09 08:55:20 -05:00
shashank-elastic 2c848c5111 Prep for Release 8.18 (#4288) 2024-12-09 18:25:13 +05:30
Isai 511c108ba1 [Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application (#4283) 
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application

SDH related rule tuning for o365.audit dataset

* removing renamed field from query
 2024-12-06 17:27:38 -05:00
shashank-elastic 801efb3d93 Protections for AWS Bedrock (#4270) 2024-12-03 21:56:39 +05:30
shashank-elastic 53cfeb76e3 Add event dataset for missing rule in Github integration (#4278) 2024-12-03 20:32:55 +05:30
shashank-elastic 5ab7565923 Minstack versions for Okta and Github Integration (#4273) 2024-11-27 18:39:41 +05:30
Terrance DeJesus 2d79494068 new rule 'AWS STS AssumeRoot by Rare User and Member Account' (#4271) 2024-11-25 10:28:43 -05:00
Samirbous f36845318e [New] First Time Seen User Auth via DeviceCode Protocol (#4153) 
* Create credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update credential_access_first_time_seen_device_code_auth.toml

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update credential_access_first_time_seen_device_code_auth.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-11 13:04:18 +00:00
Terrance DeJesus ef453d8f4d [Rule Tuning] Add Investigation Fields to Specific AWS Rules (#4261) 
* adding investigation fields to specific aws rules

* updated patch

* removing min-stack requirements

* removed user.name redundancy

* adjusted order of investigation fields

* adding source address
 2024-11-08 23:11:18 -05:00
shashank-elastic d2502c7394 Prep for Release 8.17 (#4256) 2024-11-07 23:53:04 +05:30
Terrance DeJesus a92fdc18a1 [New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User (#4245) 
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'

* adding investigation guide tag

* adds new hunting query

* updated notes

* changed name

* adjusting pyproject.toml version
 2024-11-06 13:36:13 -05:00
shashank-elastic 6a39009402 Add investigation guide for Amazon Bedrock Rules (#4247) 
* Add investigation guide for Amazon Bedrock Rules

* updated date

* review comments

* review comments

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-11-06 12:58:02 -05:00
Terrance DeJesus 1cc160fe2e [Rule Tuning] Add Investigation Guides to AWS Rules (#4249) 
* adding investigation guides for existing AWS rules

* removing 'AWS EC2 Instance Interaction with IAM Service' rule tuning

* adding back newline

* adjusted mitre att&ck mapping

* adjusted query and rule name

* updating date
 2024-11-06 12:29:14 -05:00
Terrance DeJesus c602042954 [New Rule] Adding Coverage for AWS Discovery API Calls via CLI from a Single Resource (#4246) 
* adding new rule 'AWS Multiple Discovery API Calls via CLI from a Single Resource'

* adjusted name

* adjusted ESQL functions

* changed query comment

* Update rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml

* adjusted query

* added min-stack

* adjusted query
 2024-11-06 12:14:38 -05:00
Terrance DeJesus ef6344f5e6 [Rule Tuning] Tuning AWS STS Temporary Credentials via AssumeRole (#4228) 
* tuning 'AWS STS Temporary Credentials via AssumeRole'

* linted; adjusted OR in quer

* added investigation guide

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

* Update rules/integrations/aws/privilege_escalation_sts_temp_creds_via_assume_role.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* added new rule 'AWS STS Role Assumption by User'

* adjusted UUID

* Update rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-11-06 12:01:07 -05:00
Terrance DeJesus f486571dc6 [New Rule] Adding Coverage for AWS SSM Command Document Created by Rare User (#4229) 
* new rule 'AWS SSM Command Document Created by Rare User'

* added another reference

* added investigation guide

* removed min-stack

* Update rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml
 2024-11-06 11:53:51 -05:00
Terrance DeJesus 1c9177ef6f [New Rule] Adding Coverage for AWS IAM Create User via Assumed Role on EC2 Instance (#4244) 
* adding new rule 'AWS IAM Create User via Assumed Role on EC2 Instance'

* adding false-positive note

* changed file name

* added event.provider

* tuned 'AWS EC2 Instance Interaction with IAM Service' to be BBR

* updated query

* added BBR tag

* moved rule to BBR

* fixed BBR query

* moved rule to BBR
 2024-11-06 11:28:41 -05:00
Terrance DeJesus d5f36b3619 [New Rule] Adding Coverage for AWS SNS Email Subscription by Rare User (#4224) 
* adding new rule 'AWS SNS Email Subscription by Rare User'

* updated mitre; adjusted non-ecs schema; fixed query

* removed protocol inclusion in query

* fixed risk score

* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-11-06 11:19:30 -05:00
Isai 09ea35f33a [New Rule] AWS STS AssumeRole with New MFA Device [Rule Tuning] AWS IAM Deactivation of MFA Device (#4210) 
* [New Rule] [Rule Tuning] AWS STS AssumeRole with New MFA Device, AWS IAM Deactivation of MFA Device

New terms rule for new MFA device with AssumeRole action. Rule tuning to add MITRE technique to "AWS IAM Deactivation of MFA Device"

* add serialNumber to non-ecs schema file

* fixed misspelled toml file name

* Update rules/integrations/aws/persistence_sts_assume_role_with_new_mfa.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-11-05 02:09:05 -05:00
Isai b6847c7a48 [New Rule] AWS STS Role Chaining (#4209) 
* [New Rule] AWS STS Role Chaining

Identifies role chaining activity. Role chaining is when you use one assumed role to assume a second role through the AWS CLI or API.
While this a recognized functionality in AWS, role chaining can be abused for privilege escalation if the subsequent assumed role provides additional privileges.
Role chaining can also be used as a persistence mechanism as each AssumeRole action results in a refreshed session token with a 1 hour maximum duration.
This rule looks for role chaining activity happening within a single account, to eliminate false positives produced by common cross-account behavior.

* adding metadata query fields

* removing index field
 2024-10-30 12:18:04 -04:00
shashank-elastic 123e090e7d Fix Minstack version for windows integration - Pahse 2 (#4216) 2024-10-28 20:25:02 +05:30