Files

T

Isai cd003fc9a7 [New Rule] AWS CloudTrail Log Evasion (#4788 )

* [New Rule] AWS CloudTrail Log Evasion

Identifies the evasion of cloudtrail logging for IAM actions involving policy creation, modification or attachment. When making certain policy-related API calls, an adversary may pad the associated policy document with whitespaces to trigger CloudTrail’s logging size constraints, resulting in incomplete logging where critical details about the policy are omitted. By exploiting this gap, threat actors can bypass monitoring performed through CloudTrail and can effectively obscure unauthorized changes. This rule looks for IAM API calls with the requestParameters property containing reason:”requestParameters too large” and omitted:true.

This is a known gap in AWS with no immediate remediation steps. While the size constraint issue affects additional services, IAM policy-related API calls are the only that pose a security risk which is why this rule is scoped specifically to `event.provider: iam.amazonaws.com`.  For additional background on the evasion technique refer to Permisso's [research](https://permiso.io/blog/cloudtrail-logging-evasion-where-policy-size-matters).

* aligning IG and rule name

* added investigation fields

added investigation fields

* change severity

* updating pyproject version

2025-06-17 13:58:26 -04:00

_deprecated

Deprecate Cloud Defend Rules (#4537 )

2025-03-14 21:27:37 +05:30

apm

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

cross-platform

Update initial_access_azure_o365_with_network_alert.toml (#4723 )

2025-05-19 20:54:19 +05:30

integrations

[New Rule] AWS CloudTrail Log Evasion (#4788 )

2025-06-17 13:58:26 -04:00

linux

[New Rule] Kubeconfig File Creation or Modification (#4810 )

2025-06-17 15:01:07 +02:00

macos

[Deprecate] LaunchDaemon Creation or Modification and Immediate Loading (#4547 )

2025-04-22 21:23:01 +05:30

Prep main for 9.1 (#4555 )

2025-03-26 11:04:14 -04:00

network

[Rule Tuning] Reduce Severity from Critical to High (#4637 )

2025-05-06 21:37:47 +05:30

promotions

Update Max signals value to supported limits (#4556 )

2025-03-27 09:02:25 +05:30

threat_intel

[Rule Tuning] Reduce Severity from Critical to High (#4637 )

2025-05-06 21:37:47 +05:30

windows

[Rule Tuning] PowerShell ES|QL Rules Tuning (#4785 )

2025-06-17 10:36:51 -03:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka