* [Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance
- changed execution window
- explicitly added flattened fields to query, to reduce wildcard usage
- added investigation fields
- changed new terms field to evaluate `user.name` over `aws.cloudtrail.user_identity.arn` so that only the role name for Assumed Role identitites is being evaluated instead of each individual session. This should greatly impact performance as most instances of this rule in telemetry is triggered by Assumed Roles.
* Apply suggestions from code review
* remove instanceId parameter
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* [New Rule] AWS CloudTrail Log Evasion
Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true.
This is a known gap in AWS with no immediate remediation steps. While the size constraint issue affects additional services, IAM policy-related API calls are the only that pose a security risk which is why this rule is scoped specifically to `event.provider: iam.amazonaws.com`. For additional background on the evasion technique refer to Permisso's [research](https://permiso.io/blog/cloudtrail-logging-evasion-where-policy-size-matters).
* aligning IG and rule name
* added investigation fields
added investigation fields
* change severity
* updating pyproject version
* [Rule Tuning] AWS EC2 Deprecated AMI Discovery
Rule triggers as expected
Telemetry shows only known FP risks from tools that are intentionally including deprecated AMIs in their searches (these should be excluded by customers)
- changed the query to reduce use of multiple wildcards
- changed the execution window
- removed unnecessary parts of IG
- added to the highlighted fields
* update non-ecs-schema.json
update non-ecs-schema.json with field "aws.cloudtrail.flattened.request_parameters.ownersSet.items.owner"
* update version in pyproject.toml
update version in pyproject.toml
* Update pyproject.toml
* new rule 'Suspicious Email Access by First-Party Application via Microsoft Graph'
* updated patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* Add check-version-lock dev command
* Bump the version
* Add Check Double Bumps to lock-versions workflow
* Replace return with ctx aware exit
* Bump Version
* Update Double Bump Modulo calculation
* Update if formatting
* Undo formatting typo
* Add logic to process the local file
* Update for descriptiveness
* Allow double bump branch for testing
* Pass github token
* Re-restrict to main
* Patch version bump
* Add comment if no double bumps found
* Bump Version
* Update Schema Prompt to include new_terms_fields
* Version Bump
* Ensure list of strings
* Update utils to support comma deliminated strings
* Also remove excess quotes
* Bump patch version
* Remove Union
* bump version
* Added new cli flag to exclude tactic name in rule file name
* added a shortcut for the flag and adjusted CLI readme
* Add no tactic flag also to import to prevent warnings
* Added info about unit test
* version bump
* Added no_tactic_filename as config option + fixed linting
* pyproject version bump
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
* Add support for local dates flag
* Use two variables
* Add support for import-rules-to-repo
* Revert arg formatting
* Update comment
* Pass Rule Path as Path Object
* Update to rule loader function
* Streamline metadata function
* Also support dictionaries
* Bump patch version
* Reduce complexity
* Add if path exists check
* Fix version bump
* tuning 'Azure Service Principal Credentials Added'
* updated patch version
* added investigation guide
* updating patch version
* updating patch version
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'
* updated MITRE ATT&CK mappings
* updated index target
* updated patch version
* updating patch version
* bumping patch version
* updating patch version
* Add error catch for workaround
* Switch to set for efficiency
* Patch version bump
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* Simplify kibana session management
* Drop removed options from `kibana_args` set
* Style fix
* Patch version bump
* Bumping kibana lib version
* Relax CLI requirement, making `api_key` optional, to allow `help` to run
* new rules for AWS DynamoDB data exfiltration
* bumping patch version
* adjusting investigation guide
* updating patch version
* updating patch version
* updating patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* Add Env Var DR_CLI_MAX_WIDTH
* Version Bump
* Update limit from 120 to 240
* Clean references to reference main
* Update Readme with DaC Info
* Add DaC to Table of Contents
* Bump Patch Version
* Updated naming and add dac md
* Organize Imports
* Deprecate upload-rule
* Update docs/detections-as-code.md
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* move docs to docs-dev
* Sort custom rules imports
* Remove duplicate
* Fix typo
* Bump Patch Version
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* chore: use `docs-dev` instead of `docs` folder
* patch version bump
* Rollback an incorrect rename
* Use exact docs dir in the helper comment
* Revert some overeager renamings
* Moving `docs` to `docs-dev`
* Update Docs Paths
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
* Delete RTAs
* Delete RTA-related orchestration code
* Drop RTAs from tests
* Remove RTAs from README
* Further cleanup
* Readme update
* Version bump and no more RTAs
* Styling fixes
* Drop RTAs from config files
* Drop `rule-mapping.yaml`
* Bring back event collector / normalizer
* Drop rta mention
* Cleanup rta leftovers
* Style fix
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
* rule tuning 'First Occurrence of Entra ID Auth via DeviceCode Protocol'
* bumping patch version
* fixed investigation guide unit test failure
* bump patch
github-actions[bot]