Isai
a6d31d7dfd
* [New Rules] AWS Long-Term Creds Abuse Coverage This adds a two-layer approach to long-term IAM access key (AKIA*) abuse, aligned with reporting on stolen or leaked keys often abused as seen in Kudelski Security — Trivy supply-chain report. ### Layer 1 — AWS Long-Term Access Key First Seen from Source IP (9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f) New Terms on CloudTrail when a given AKIA succeeds from a new `source.ip` in the history window. Goal: catch novel use of a durable key (travel, new egress, or attacker infrastructure). ### Layer 2 — AWS Long-Term Access Key Correlated with Elevated Detection Alerts Higher-order rule on open alerts that requires both the Layer 1 rule and at least one other open alert on the same `source.ip` at medium+ severity (or equivalent risk score). Goal: raise priority when “new IP for this key” happens together with stronger, post-compromise-style signals. The higher-order rule correlates on `source.ip` in .alerts-security.* index. In testing, I chose to tie the same sessions together using `source.ip` vs `access_key.id` because the alerts index did not expose this field for queries. Screenshots below show testing that verified the approach. The same operator/session across Layer 1 rule, the sibling alert, and the Layer 2 correlation rule for two separate lab scenarios (e.g. a high-severity sibling rule and a medium-severity sibling rule). * adding IAM to rule names * removing unnecessary ref * Fixed Mitre tactics and tags --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
rules/
Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)
| folder | description |
|---|---|
. |
Root directory where rules are stored |
apm/ |
Rules that use Application Performance Monitoring (APM) data sources |
cross-platform/ |
Rules that apply to multiple platforms, such as Windows and Linux |
integrations/ |
Rules organized by Fleet integration |
linux/ |
Rules for Linux or other Unix based operating systems |
macos/ |
Rules for macOS |
ml/ |
Rules that use machine learning jobs (ML) |
network/ |
Rules that use network data sources |
promotions/ |
Rules that promote external alerts into detection engine alerts |
windows/ |
Rules for the Microsoft Windows Operating System |
Integration specific rules are stored in the integrations/ directory:
| folder | integration |
|---|---|
aws/ |
Amazon Web Services (AWS) |
azure/ |
Microsoft Azure |
cyberarkpas/ |
Cyber Ark Privileged Access Security |
endpoint/ |
Elastic Endpoint Security |
gcp/ |
Google Cloud Platform (GCP) |
google_workspace/ |
Google Workspace (formerly GSuite) |
o365/ |
Microsoft Office |
okta/ |
Okta |