From d1638812525d678824cf0a986565454e6fc08f84 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Thu, 30 Jan 2025 14:01:28 +0100 Subject: [PATCH 01/15] output normalization for AWS cloudtrail logs --- data_sources/asl_aws_cloudtrail.yml | 10 ++++++++++ data_sources/aws_cloudtrail.yml | 10 ++++++++++ data_sources/aws_cloudtrail_assumerolewithsaml.yml | 10 ++++++++++ data_sources/aws_cloudtrail_consolelogin.yml | 10 ++++++++++ data_sources/aws_cloudtrail_copyobject.yml | 10 ++++++++++ data_sources/aws_cloudtrail_createaccesskey.yml | 10 ++++++++++ data_sources/aws_cloudtrail_createkey.yml | 10 ++++++++++ data_sources/aws_cloudtrail_createloginprofile.yml | 10 ++++++++++ data_sources/aws_cloudtrail_createnetworkaclentry.yml | 10 ++++++++++ data_sources/aws_cloudtrail_createpolicyversion.yml | 10 ++++++++++ data_sources/aws_cloudtrail_createsnapshot.yml | 10 ++++++++++ data_sources/aws_cloudtrail_createtask.yml | 10 ++++++++++ .../aws_cloudtrail_createvirtualmfadevice.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deactivatemfadevice.yml | 10 ++++++++++ .../aws_cloudtrail_deleteaccountpasswordpolicy.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletealarms.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletedetector.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletegroup.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deleteipset.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deleteloggroup.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletelogstream.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletenetworkaclentry.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletepolicy.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deleterule.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletesnapshot.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletetrail.yml | 10 ++++++++++ .../aws_cloudtrail_deletevirtualmfadevice.yml | 10 ++++++++++ data_sources/aws_cloudtrail_deletewebacl.yml | 10 ++++++++++ .../aws_cloudtrail_describeeventaggregates.yml | 10 ++++++++++ .../aws_cloudtrail_describeimagescanfindings.yml | 10 ++++++++++ .../aws_cloudtrail_getaccountpasswordpolicy.yml | 10 ++++++++++ data_sources/aws_cloudtrail_getobject.yml | 10 ++++++++++ data_sources/aws_cloudtrail_getpassworddata.yml | 10 ++++++++++ data_sources/aws_cloudtrail_jobcreated.yml | 10 ++++++++++ data_sources/aws_cloudtrail_modifydbinstance.yml | 10 ++++++++++ data_sources/aws_cloudtrail_modifyimageattribute.yml | 10 ++++++++++ .../aws_cloudtrail_modifysnapshotattribute.yml | 10 ++++++++++ data_sources/aws_cloudtrail_putbucketacl.yml | 10 ++++++++++ data_sources/aws_cloudtrail_putbucketlifecycle.yml | 10 ++++++++++ data_sources/aws_cloudtrail_putbucketreplication.yml | 10 ++++++++++ data_sources/aws_cloudtrail_putbucketversioning.yml | 10 ++++++++++ data_sources/aws_cloudtrail_putimage.yml | 10 ++++++++++ data_sources/aws_cloudtrail_putkeypolicy.yml | 10 ++++++++++ .../aws_cloudtrail_replacenetworkaclentry.yml | 10 ++++++++++ .../aws_cloudtrail_setdefaultpolicyversion.yml | 10 ++++++++++ data_sources/aws_cloudtrail_stoplogging.yml | 10 ++++++++++ .../aws_cloudtrail_updateaccountpasswordpolicy.yml | 10 ++++++++++ data_sources/aws_cloudtrail_updateloginprofile.yml | 10 ++++++++++ data_sources/aws_cloudtrail_updatesamlprovider.yml | 10 ++++++++++ data_sources/aws_cloudtrail_updatetrail.yml | 10 ++++++++++ ...asl_aws_concurrent_sessions_from_different_ips.yml | 8 +++++++- detections/cloud/asl_aws_create_access_key.yml | 7 ++++++- ...s_create_policy_version_to_allow_all_resources.yml | 11 ++++++++++- .../asl_aws_credential_access_getpassworddata.yml | 8 +++++++- .../asl_aws_credential_access_rds_password_reset.yml | 9 ++++++++- .../asl_aws_defense_evasion_delete_cloudtrail.yml | 7 ++++++- ...ws_defense_evasion_delete_cloudwatch_log_group.yml | 7 ++++++- ...l_aws_defense_evasion_impair_security_services.yml | 7 ++++++- .../asl_aws_defense_evasion_putbucketlifecycle.yml | 10 +++++++++- ...sl_aws_defense_evasion_stop_logging_cloudtrail.yml | 8 ++++++-- .../asl_aws_defense_evasion_update_cloudtrail.yml | 7 ++++++- ..._creating_keys_with_encrypt_policy_without_mfa.yml | 4 ++-- .../cloud/asl_aws_disable_bucket_versioning.yml | 4 ++-- .../cloud/asl_aws_ec2_snapshot_shared_externally.yml | 4 ++-- ...ws_ecr_container_upload_outside_business_hours.yml | 9 ++++++++- .../asl_aws_ecr_container_upload_unknown_user.yml | 7 ++++++- .../asl_aws_iam_accessdenied_discovery_events.yml | 4 ++-- .../asl_aws_iam_assume_role_policy_brute_force.yml | 4 ++-- detections/cloud/asl_aws_iam_delete_policy.yml | 7 ++++++- .../cloud/asl_aws_iam_failure_group_deletion.yml | 7 ++++++- .../cloud/asl_aws_iam_successful_group_deletion.yml | 7 ++++++- .../asl_aws_multi_factor_authentication_disabled.yml | 7 ++++++- ...ccess_control_list_created_with_all_open_ports.yml | 4 ++-- .../asl_aws_network_access_control_list_deleted.yml | 4 ++-- .../asl_aws_new_mfa_method_registered_for_user.yml | 7 ++++++- .../cloud/asl_aws_saml_update_identity_provider.yml | 4 ++-- detections/cloud/asl_aws_updateloginprofile.yml | 4 ++-- 77 files changed, 639 insertions(+), 37 deletions(-) diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml index 743e34d3eb..4067891655 100644 --- a/data_sources/asl_aws_cloudtrail.yml +++ b/data_sources/asl_aws_cloudtrail.yml @@ -11,3 +11,13 @@ supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 version: 7.9.0 +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml index af1afc59c0..7b0fe94375 100644 --- a/data_sources/aws_cloudtrail.yml +++ b/data_sources/aws_cloudtrail.yml @@ -11,3 +11,13 @@ supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 version: 7.9.0 +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml index ef4041930f..1e084d3f2a 100644 --- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml +++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml @@ -124,3 +124,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "pri "type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml index 0ddc77ce93..a0e6ac0ab0 100644 --- a/data_sources/aws_cloudtrail_consolelogin.yml +++ b/data_sources/aws_cloudtrail_consolelogin.yml @@ -100,3 +100,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "acco "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml index 44fabed1bb..8a18f7196b 100644 --- a/data_sources/aws_cloudtrail_copyobject.yml +++ b/data_sources/aws_cloudtrail_copyobject.yml @@ -117,3 +117,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin {"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events.json"}], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111", "eventCategory": "Data"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml index 4834e03b5d..ba52e7cc49 100644 --- a/data_sources/aws_cloudtrail_createaccesskey.yml +++ b/data_sources/aws_cloudtrail_createaccesskey.yml @@ -101,3 +101,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventID": "5772e8d5-cccc-470d-81ef-acacfe85a804", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "121521347698"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml index 8c2aa289b1..559d8f6805 100644 --- a/data_sources/aws_cloudtrail_createkey.yml +++ b/data_sources/aws_cloudtrail_createkey.yml @@ -148,3 +148,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "111111111111", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml index 7f09482a94..62e8a84d9e 100644 --- a/data_sources/aws_cloudtrail_createloginprofile.yml +++ b/data_sources/aws_cloudtrail_createloginprofile.yml @@ -100,3 +100,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventID": "ffb76906-6dd1-4219-adfe-e26b92036a1e", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml index b9eb2d9e66..0b6513a87b 100644 --- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml @@ -119,3 +119,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "_return": true}, "requestID": "d29c9c32-3a72-48d3-b612-6ba795e9ec64", "eventID": "6d1ce00e-4099-463c-8a4d-2af2fb2178ba", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml index 49b4ea9e54..a6bc2e77fa 100644 --- a/data_sources/aws_cloudtrail_createpolicyversion.yml +++ b/data_sources/aws_cloudtrail_createpolicyversion.yml @@ -104,3 +104,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventID": "33149175-90fd-4cff-a43b-408e4f848c1c", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml index d8140341e4..4f15149046 100644 --- a/data_sources/aws_cloudtrail_createsnapshot.yml +++ b/data_sources/aws_cloudtrail_createsnapshot.yml @@ -116,3 +116,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml index 64c885e902..f32fbe482a 100644 --- a/data_sources/aws_cloudtrail_createtask.yml +++ b/data_sources/aws_cloudtrail_createtask.yml @@ -119,3 +119,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "datasync.us-west-2.amazonaws.com"}, "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml index 579ea87956..fcde36eecb 100644 --- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml +++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml @@ -98,3 +98,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml index bfef68070f..ffd2cce1a4 100644 --- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml +++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml @@ -98,3 +98,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip null, "requestID": "d27cfb15-34b4-4c16-82bc-a55d15b4e47d", "eventID": "bfe9fd91-0b4d-470a-9c03-77839151806d", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml index 3998089a44..2e8b539ce8 100644 --- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml @@ -98,3 +98,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip "requestID": "e3616938-1aac-4abd-9ea3-3b0367b85082", "eventID": "bbd8cb02-22ba-4d1b-b23d-b82975463376", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml index d7b436d019..7710191a7d 100644 --- a/data_sources/aws_cloudtrail_deletealarms.yml +++ b/data_sources/aws_cloudtrail_deletealarms.yml @@ -139,3 +139,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "bcfccd92-5bf1-4de1-9cfd-87fdeb70e452", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml index df3b6cea4e..9f458387e9 100644 --- a/data_sources/aws_cloudtrail_deletedetector.yml +++ b/data_sources/aws_cloudtrail_deletedetector.yml @@ -96,3 +96,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "requestID": "1e832076-d7a8-432b-b0df-54ba62f6b62c", "eventID": "c1367a2f-8910-4e64-9256-a854d2e9f37d", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml index f383f21440..bcd6b53f7b 100644 --- a/data_sources/aws_cloudtrail_deletegroup.yml +++ b/data_sources/aws_cloudtrail_deletegroup.yml @@ -100,3 +100,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin null, "requestID": "15684d3b-a8c5-4334-a996-16619e901c17", "eventID": "ab65dca3-3d28-41f4-9f99-443606cc49fe", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "121522247101"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml index 9e70698a5f..7300dd3775 100644 --- a/data_sources/aws_cloudtrail_deleteipset.yml +++ b/data_sources/aws_cloudtrail_deleteipset.yml @@ -97,3 +97,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "requestID": "70d36916-4ce7-4b6e-9226-9da47d58d554", "eventID": "884dc529-d98f-4529-bfa1-8cdd6c06d02f", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml index 936f52788a..8bd1c24727 100644 --- a/data_sources/aws_cloudtrail_deleteloggroup.yml +++ b/data_sources/aws_cloudtrail_deleteloggroup.yml @@ -98,3 +98,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "apiVersion": "20140328", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml index 591ea64693..23ac7d5217 100644 --- a/data_sources/aws_cloudtrail_deletelogstream.yml +++ b/data_sources/aws_cloudtrail_deletelogstream.yml @@ -99,3 +99,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "apiVersion": "20140328", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml index 7c0003f08b..3a81b49a5c 100644 --- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml @@ -108,3 +108,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "_return": true}, "requestID": "607474bb-836b-46be-be4a-351ebbef67d6", "eventID": "b9e05770-e9b0-4ba1-91e8-6537097e06e7", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml index 44cd10188c..362f8d64b0 100644 --- a/data_sources/aws_cloudtrail_deletepolicy.yml +++ b/data_sources/aws_cloudtrail_deletepolicy.yml @@ -100,3 +100,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "responseElements": null, "requestID": "90cbe52f-e744-4bba-9f5c-1843c9ca1855", "eventID": "abd071bf-0a38-4fab-af4a-5eee55f0935e", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "151521547504"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml index 545fbcec9a..da5c248eb7 100644 --- a/data_sources/aws_cloudtrail_deleterule.yml +++ b/data_sources/aws_cloudtrail_deleterule.yml @@ -100,3 +100,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml index 6b586a2a3e..f5d7b3e37b 100644 --- a/data_sources/aws_cloudtrail_deletesnapshot.yml +++ b/data_sources/aws_cloudtrail_deletesnapshot.yml @@ -143,3 +143,13 @@ example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "AssumedRole", " "56f61d71-6620-4958-8dbf-03410913f1cc", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "11111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml index 1555fafdac..bbd8895df7 100644 --- a/data_sources/aws_cloudtrail_deletetrail.yml +++ b/data_sources/aws_cloudtrail_deletetrail.yml @@ -96,3 +96,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml index e03ef28b7d..65b63154e3 100644 --- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml +++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml @@ -98,3 +98,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip "01f0258f-b83f-4c0f-8fd3-380473840db8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml index 2368ae2314..fa5f221fe4 100644 --- a/data_sources/aws_cloudtrail_deletewebacl.yml +++ b/data_sources/aws_cloudtrail_deletewebacl.yml @@ -100,3 +100,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml index ae72fb9931..f5d9d3481a 100644 --- a/data_sources/aws_cloudtrail_describeeventaggregates.yml +++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml @@ -95,3 +95,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip "eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml index 79696cbffc..4c7474123b 100644 --- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml +++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml @@ -893,3 +893,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "23c19e2d-c48b-4265-b4eb-853e7b325780", "eventID": "6c94a9b2-36dc-43f8-a6dd-4ec839ded8af", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml index 376fecc828..a0bab6ed21 100644 --- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml @@ -97,3 +97,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml index 27d29dea5d..f4d8f6a98d 100644 --- a/data_sources/aws_cloudtrail_getobject.yml +++ b/data_sources/aws_cloudtrail_getobject.yml @@ -111,3 +111,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111", "eventCategory": "Data", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "security-content.s3.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml index fc6857d804..0ecc4a9853 100644 --- a/data_sources/aws_cloudtrail_getpassworddata.yml +++ b/data_sources/aws_cloudtrail_getpassworddata.yml @@ -113,3 +113,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml index b33710f139..2cfd2a971e 100644 --- a/data_sources/aws_cloudtrail_jobcreated.yml +++ b/data_sources/aws_cloudtrail_jobcreated.yml @@ -82,3 +82,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"accountId": "1111111111 "jobArn": "arn:aws:s3:us-west-2:111111111111:job/bb54efd8-937d-4f0c-967d-aa8443998dac", "status": "New", "jobEventId": "4e70d2f1053c07a79d9be9a14e486020", "failureCodes": [], "statusChangeReason": []}, "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml index 813b021c40..0099164677 100644 --- a/data_sources/aws_cloudtrail_modifydbinstance.yml +++ b/data_sources/aws_cloudtrail_modifydbinstance.yml @@ -191,3 +191,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "eventID": "46351ca1-760e-4eef-b3ff-19723e13fbf8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml index e73a70ec35..2ed3f141ac 100644 --- a/data_sources/aws_cloudtrail_modifyimageattribute.yml +++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml @@ -106,3 +106,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "eventID": "957e1b12-ea17-4006-aefd-20677ace72b8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml index 373a15ede9..984eed009c 100644 --- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml +++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml @@ -99,3 +99,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml index 10765a8703..dd9244bcaa 100644 --- a/data_sources/aws_cloudtrail_putbucketacl.yml +++ b/data_sources/aws_cloudtrail_putbucketacl.yml @@ -114,3 +114,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucket19"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml index c9d8491a16..3bf8e3044a 100644 --- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml +++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml @@ -118,3 +118,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "my-cloudtrail-bucket-alfsujjpnbpguqrh.s3.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml index 50c9bb4051..29af5a9296 100644 --- a/data_sources/aws_cloudtrail_putbucketreplication.yml +++ b/data_sources/aws_cloudtrail_putbucketreplication.yml @@ -139,3 +139,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " true, "recipientAccountId": "111111111111", "vpcEndpointId": "vpce-a0d039c9", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml index 4d928ee0d2..98d0b3bbb1 100644 --- a/data_sources/aws_cloudtrail_putbucketversioning.yml +++ b/data_sources/aws_cloudtrail_putbucketversioning.yml @@ -127,3 +127,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " true, "recipientAccountId": "111111111111", "vpcEndpointId": "vpce-a0d039c9", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml index 707c03fcf6..6767023899 100644 --- a/data_sources/aws_cloudtrail_putimage.yml +++ b/data_sources/aws_cloudtrail_putimage.yml @@ -149,3 +149,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "resources": [{"accountId": "111111111111", "ARN": "arn:aws:ecr:eu-central-1:1111111111111:repository/devsecops/cat_dog_server"}], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml index 9b2786fadb..673cfe26ba 100644 --- a/data_sources/aws_cloudtrail_putkeypolicy.yml +++ b/data_sources/aws_cloudtrail_putkeypolicy.yml @@ -130,3 +130,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml index 4ce1405960..96ccbb6f6b 100644 --- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml @@ -116,3 +116,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "_return": true}, "requestID": "97b40da9-9291-4a92-8e9e-892b6887ffc9", "eventID": "46fe04b8-d007-4933-8bb8-c8b65c1121fa", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml index 9797971379..45f6c59184 100644 --- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml +++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml @@ -97,3 +97,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventID": "742f6e55-4bc7-49e2-965f-56ffbc46a980", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml index f285ce143e..05bab8be43 100644 --- a/data_sources/aws_cloudtrail_stoplogging.yml +++ b/data_sources/aws_cloudtrail_stoplogging.yml @@ -93,3 +93,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml index de90a002fe..cd2b197c3a 100644 --- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml @@ -105,3 +105,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip null, "requestID": "7685efa9-5c56-451a-bd25-3db520108589", "eventID": "ccc1d5c2-dd72-4798-8023-ed5a4205f2d5", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml index 6978637a08..c412ba3d29 100644 --- a/data_sources/aws_cloudtrail_updateloginprofile.yml +++ b/data_sources/aws_cloudtrail_updateloginprofile.yml @@ -95,3 +95,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "08f38478-1749-4fb5-b07c-469d3448777a", "eventID": "033580e7-bbba-4b70-be63-7eeddb04b842", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml index 2f2cd5b188..89da13bbb3 100644 --- a/data_sources/aws_cloudtrail_updatesamlprovider.yml +++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml @@ -185,3 +185,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "requestID": "83d621ad-5b33-4ff0-acf4-0043cb432844", "eventID": "51b6d859-0cc4-4591-ba76-3494f3f43832", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml index f22ec6b7ba..8d4215f3ad 100644 --- a/data_sources/aws_cloudtrail_updatetrail.yml +++ b/data_sources/aws_cloudtrail_updatetrail.yml @@ -105,3 +105,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index b3bf16236b..e31576cdea 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -8,7 +8,13 @@ type: Anomaly description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`' +search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" + | bin span=5m _time + | stats min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid + | where distinct_ip_count > 1 + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. references: diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index eeb433eaa8..d609bae9cf 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -8,7 +8,12 @@ type: Hunting description: The following analytic identifies the creation of AWS IAM access keys by a user for another user, which can indicate privilege escalation. It leverages AWS CloudTrail logs to detect instances where the user creating the access key is different from the user for whom the key is created. This activity is significant because unauthorized access key creation can allow attackers to establish persistence or exfiltrate data via AWS APIs. If confirmed malicious, this could lead to unauthorized access to AWS services, data exfiltration, and long-term persistence in the environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' +search: '`amazon_security_lake` api.operation=CreateAccessKey + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |`asl_aws_create_access_key_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. references: diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index d4620bd070..2c8a070d64 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -8,7 +8,16 @@ type: TTP description: The following analytic identifies the creation of a new AWS IAM policy version that allows access to all resources. It detects this activity by analyzing AWS CloudTrail logs for the CreatePolicyVersion event with a policy document that grants broad permissions. This behavior is significant because it violates the principle of least privilege, potentially exposing the environment to misuse or abuse. If confirmed malicious, an attacker could gain extensive access to AWS resources, leading to unauthorized actions, data exfiltration, or further compromise of the AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`' +search: '`amazon_security_lake` api.operation=CreatePolicy + | spath input=api.request.data + | spath input=policyDocument + | regex Statement{}.Action="\*" + | regex Statement{}.Resource="\*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |`asl_aws_create_policy_version_to_allow_all_resources_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. references: diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index 4c112af04c..fd67f6a248 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -8,7 +8,13 @@ type: Anomaly description: The following analytic identifiesGetPasswordData API calls in your AWS account. It leverages CloudTrail logs from Amazon Security Lake to detect this activity by counting the distinct instance IDs accessed. This behavior is significant as it may indicate an attempt to retrieve encrypted administrator passwords for running Windows instances, which is a critical security concern. If confirmed malicious, attackers could gain unauthorized access to administrative credentials, potentially leading to full control over the affected instances and further compromise of the AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' +search: '`amazon_security_lake` api.operation=GetPasswordData + | spath input=api.request.data + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region instanceId + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |`asl_aws_credential_access_getpassworddata_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. references: diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 300892fee9..43eb93499f 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -8,7 +8,14 @@ type: TTP description: The following analytic detects the resetting of the master user password for an Amazon RDS DB instance. It leverages AWS CloudTrail logs from Amazon Security Lake to identify events where the `ModifyDBInstance` API call includes a new `masterUserPassword` parameter. This activity is significant because unauthorized password resets can grant attackers access to sensitive data stored in production databases, such as credit card information, PII, and healthcare data. If confirmed malicious, this could lead to data breaches, regulatory non-compliance, and significant reputational damage. Immediate investigation is required to determine the legitimacy of the password reset. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster | spath input=api.request.data | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' +search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster + | spath input=api.request.data + | search masterUserPassword=* + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |`asl_aws_credential_access_rds_password_reset_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Users may genuinely reset the RDS password. references: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index bc99f507d0..19c72070dd 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -8,7 +8,12 @@ type: TTP description: The following analytic detects AWS `DeleteTrail` events within CloudTrail logs. It leverages Amazon Security Lake logs parsed in the Open Cybersecurity Schema Framework (OCSF) format to identify when a CloudTrail is deleted. This activity is significant because adversaries may delete CloudTrail logs to evade detection and operate with stealth. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and investigate other potential compromises within the AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=DeleteTrail + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. references: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 7a1806f3c9..8a86a89fb6 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -8,7 +8,12 @@ type: TTP description: The following analytic detects the deletion of CloudWatch log groups in AWS, identified through `DeleteLogGroup` events in CloudTrail logs. This method leverages Amazon Security Lake logs parsed in the OCSF format. The activity is significant because attackers may delete log groups to evade detection and disrupt logging capabilities, hindering incident response efforts. If confirmed malicious, this action could allow attackers to cover their tracks, making it difficult to trace their activities and potentially leading to undetected data breaches or further malicious actions within the compromised AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' +search: '`amazon_security_lake` api.operation=DeleteLogGroup + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. references: diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index a6a76f9130..70bfc7529f 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -8,7 +8,12 @@ type: Hunting description: The following analytic detects the deletion of critical AWS Security Services configurations, such as CloudWatch alarms, GuardDuty detectors, and Web Application Firewall rules. It leverages Amazon Security Lake logs to identify specific API calls like "DeleteLogStream" and "DeleteDetector." This activity is significant because adversaries often use these actions to disable security monitoring and evade detection. If confirmed malicious, this could allow attackers to operate undetected, leading to potential data breaches, unauthorized access, and prolonged persistence within the AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' +search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_impair_security_services_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 2b843cd24f..5b27c1a62c 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -8,7 +8,15 @@ type: Hunting description: The following analytic detects `PutBucketLifecycle` events in AWS CloudTrail logs where a user sets a lifecycle rule for an S3 bucket with an expiration period of fewer than three days. This detection leverages CloudTrail logs to identify suspicious lifecycle configurations. This activity is significant because attackers may use it to delete CloudTrail logs quickly, thereby evading detection and impairing forensic investigations. If confirmed malicious, this could allow attackers to cover their tracks, making it difficult to trace their actions and respond to the breach effectively. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bucketName | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' +search: '`amazon_security_lake` api.operation=PutBucketLifecycle + | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays + | where NoncurrentDays < 3 + | spath input=api.request.data + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region NoncurrentDays bucketName + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_putbucketlifecycle_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 28a9d9a628..d6f9045a75 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -8,8 +8,12 @@ type: TTP description: The following analytic detects `StopLogging` events within AWS CloudTrail logs, a critical action that adversaries may use to evade detection. By halting the logging of their malicious activities, attackers aim to operate undetected within a compromised AWS environment. This detection is achieved by monitoring for specific CloudTrail log entries that indicate the cessation of logging activities. Identifying such behavior is crucial for a Security Operations Center (SOC), as it signals an attempt to undermine the integrity of logging mechanisms, potentially allowing malicious activities to proceed without observation. The impact of this evasion tactic is significant, as it can severely hamper incident response and forensic investigations by obscuring the attacker's actions. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid - as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=StopLogging + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. references: diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 1b45a81b7f..3995e0c40c 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -8,7 +8,12 @@ type: TTP description: The following analytic detects `UpdateTrail` events within AWS CloudTrail logs, aiming to identify attempts by attackers to evade detection by altering logging configurations. By updating CloudTrail settings with incorrect parameters, such as changing multi-regional logging to a single region, attackers can impair the logging of their activities across other regions. This behavior is crucial for Security Operations Centers (SOCs) to identify, as it indicates an adversary's intent to operate undetected within a compromised AWS environment. The impact of such evasion tactics is significant, potentially allowing malicious activities to proceed without being logged, thereby hindering incident response and forensic investigations. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' +search: '`amazon_security_lake` api.operation=UpdateTrail + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. references: diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 41ee11048f..93a23128da 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -19,8 +19,8 @@ search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=Crea | search action=kms* | regex principal="\*" | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' how_to_implement: The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index b475b18556..223bca5edb 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -13,8 +13,8 @@ search: '`amazon_security_lake` api.operation=PutBucketVersioning | spath input=api.request.data path=bucketName output=bucketName | search Status=Suspended | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data bucketName - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_disable_bucket_versioning_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index baeb005631..9e0bc3e14f 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -12,8 +12,8 @@ search: '`amazon_security_lake` api.operation=ModifySnapshotAttribute | spath input=api.request.data path=createVolumePermission.add.items{}.group output=group | search group=all | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ec2_snapshot_shared_externally_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 6222a0b4f0..a306e628a9 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -8,7 +8,14 @@ type: Anomaly description: The following analytic detects the upload of new containers to AWS Elastic Container Service (ECR) outside of standard business hours through AWS CloudTrail events. It identifies this behavior by monitoring for `PutImage` events occurring before 8 AM or after 8 PM, as well as any uploads on weekends. This activity is significant for a SOC to investigate as it may indicate unauthorized access or malicious deployments, potentially leading to compromised services or data breaches. Identifying and addressing such uploads promptly can mitigate the risk of security incidents and their associated impacts. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent cloud.region | rename actor.user.uid as user, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' +search: '`amazon_security_lake` api.operation=PutImage + | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") + | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: When your development is spreaded in different time zones, applying this rule can be difficult. references: diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 156aab0bc0..8188395258 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -8,7 +8,12 @@ type: Anomaly description: The following analytic detects unauthorized container uploads to AWS Elastic Container Service (ECR) by monitoring AWS CloudTrail events. It identifies instances where a new container is uploaded by a user not previously recognized as authorized. This detection is crucial for a SOC as it can indicate a potential compromise or misuse of AWS ECR, which could lead to unauthorized access to sensitive data or the deployment of malicious containers. By identifying and investigating these events, organizations can mitigate the risk of data breaches or other security incidents resulting from unauthorized container uploads. The impact of such an attack could be significant, compromising the integrity and security of the organization's cloud environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' +search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_ecr_container_upload_unknown_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown references: diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index c4c121d8b5..065f517035 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -10,9 +10,9 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.response.error=AccessDenied OR api.response.error=OperationNotPermittedException OR api.response.error=*Unauthorized* actor.user.type=IAMUser | bucket _time span=1h - | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time + | stats count as failures min(_time) as firstTime max(_time) as lastTime dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region by _time actor.user.uid | where failures >= 5 AND dc_operation >= 1 AND dc_service >= 1 - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_accessdenied_discovery_events_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index 3eab43490b..b8dafe5438 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -10,9 +10,9 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"=AccessDenied | bucket _time span=1h - | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time + | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region by _time actor.user.uid | where failures >= 3 - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_assume_role_policy_brute_force_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index ea67cfda56..19be206901 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -8,7 +8,12 @@ type: Hunting description: The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' +search: '`amazon_security_lake` api.operation=DeletePolicy + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_iam_delete_policy_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. references: diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 81c04e1523..94669184e7 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -8,7 +8,12 @@ type: Anomaly description: The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' +search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_iam_failure_group_deletion_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 0eb874ecb5..14299b57b1 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -8,7 +8,12 @@ type: Hunting description: The following analytic detects the successful deletion of a group within AWS IAM, leveraging CloudTrail IAM events. This action, while not inherently malicious, can serve as a precursor to more sinister activities, such as unauthorized access or privilege escalation attempts. By monitoring for such deletions, the analytic aids in identifying potential preparatory steps towards an attack, allowing for early detection and mitigation. The identification of this behavior is crucial for a SOC to prevent the potential impact of an attack, which could include unauthorized access to sensitive resources or disruption of AWS environment operations. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' +search: '`amazon_security_lake` api.operation=DeleteGroup status=Success + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_iam_successful_group_deletion_filter`' how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index a26e3c1500..7f5b84b0b7 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -8,7 +8,12 @@ type: TTP description: The following analytic detects attempts to disable multi-factor authentication (MFA) for an AWS IAM user. It leverages Amazon Security Lake logs, specifically monitoring for `DeleteVirtualMFADevice` or `DeactivateMFADevice` API operations. This activity is significant as disabling MFA can indicate an adversary attempting to weaken account security to maintain persistence using a compromised account. If confirmed malicious, this action could allow attackers to retain access to the AWS environment without detection, potentially leading to unauthorized access to sensitive resources and prolonged compromise. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' +search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_multi_factor_authentication_disabled_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company references: diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index 7d42dfa04e..df1507f1a0 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -16,8 +16,8 @@ search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.opera | spath input=api.request.data path=networkAclId output=networkAclId | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId cidrBlock - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid as aws_account_id + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId cidrBlock + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index 067e4b543f..74d6930168 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -13,8 +13,8 @@ search: '`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Succe | spath input=api.request.data path=networkAclId output=networkAclId | search egress=false | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region networkAclId - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_deleted_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It's possible that a user has legitimately deleted a network ACL. diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index bf67c362b9..210f875259 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -8,7 +8,12 @@ type: TTP description: The following analytic identifies the registration of a new Multi-Factor Authentication (MFA) method for an AWS account, as logged through Amazon Security Lake (ASL). It detects this activity by monitoring the `CreateVirtualMFADevice` API operation within ASL logs. This behavior is significant because adversaries who gain unauthorized access to an AWS account may register a new MFA method to maintain persistence. If confirmed malicious, this activity could allow attackers to secure their access, making it harder to detect and remove their presence from the compromised environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' +search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_new_mfa_method_registered_for_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. references: diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml index a33f61d9ed..8d17300500 100644 --- a/detections/cloud/asl_aws_saml_update_identity_provider.yml +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateSAMLProvider | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_saml_update_identity_provider_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index eab3050952..72df96e825 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateLoginProfile | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_updateloginprofile_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. From 3349099691998086dc7059bd178601d54a8d5f03 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 3 Feb 2025 10:15:07 +0100 Subject: [PATCH 02/15] output normlaization --- data_sources/aws_cloudtrail.yml | 1 - .../aws_cloudtrail_assumerolewithsaml.yml | 1 - data_sources/aws_cloudtrail_consolelogin.yml | 1 - data_sources/aws_cloudtrail_copyobject.yml | 1 - .../aws_cloudtrail_createaccesskey.yml | 1 - data_sources/aws_cloudtrail_createkey.yml | 1 - .../aws_cloudtrail_createloginprofile.yml | 1 - .../aws_cloudtrail_createnetworkaclentry.yml | 1 - .../aws_cloudtrail_createpolicyversion.yml | 1 - .../aws_cloudtrail_createsnapshot.yml | 1 - data_sources/aws_cloudtrail_createtask.yml | 1 - .../aws_cloudtrail_createvirtualmfadevice.yml | 1 - .../aws_cloudtrail_deactivatemfadevice.yml | 1 - ...cloudtrail_deleteaccountpasswordpolicy.yml | 1 - data_sources/aws_cloudtrail_deletealarms.yml | 1 - .../aws_cloudtrail_deletedetector.yml | 1 - data_sources/aws_cloudtrail_deletegroup.yml | 1 - data_sources/aws_cloudtrail_deleteipset.yml | 1 - .../aws_cloudtrail_deleteloggroup.yml | 1 - .../aws_cloudtrail_deletelogstream.yml | 1 - .../aws_cloudtrail_deletenetworkaclentry.yml | 1 - data_sources/aws_cloudtrail_deletepolicy.yml | 1 - data_sources/aws_cloudtrail_deleterule.yml | 1 - .../aws_cloudtrail_deletesnapshot.yml | 1 - data_sources/aws_cloudtrail_deletetrail.yml | 1 - .../aws_cloudtrail_deletevirtualmfadevice.yml | 1 - data_sources/aws_cloudtrail_deletewebacl.yml | 1 - ...aws_cloudtrail_describeeventaggregates.yml | 1 - ...s_cloudtrail_describeimagescanfindings.yml | 1 - ...ws_cloudtrail_getaccountpasswordpolicy.yml | 1 - data_sources/aws_cloudtrail_getobject.yml | 1 - .../aws_cloudtrail_getpassworddata.yml | 1 - data_sources/aws_cloudtrail_jobcreated.yml | 1 - .../aws_cloudtrail_modifydbinstance.yml | 1 - .../aws_cloudtrail_modifyimageattribute.yml | 1 - ...aws_cloudtrail_modifysnapshotattribute.yml | 1 - data_sources/aws_cloudtrail_putbucketacl.yml | 1 - .../aws_cloudtrail_putbucketlifecycle.yml | 1 - .../aws_cloudtrail_putbucketreplication.yml | 1 - .../aws_cloudtrail_putbucketversioning.yml | 1 - data_sources/aws_cloudtrail_putimage.yml | 1 - data_sources/aws_cloudtrail_putkeypolicy.yml | 1 - .../aws_cloudtrail_replacenetworkaclentry.yml | 1 - ...aws_cloudtrail_setdefaultpolicyversion.yml | 1 - data_sources/aws_cloudtrail_stoplogging.yml | 1 - ...cloudtrail_updateaccountpasswordpolicy.yml | 1 - .../aws_cloudtrail_updateloginprofile.yml | 1 - .../aws_cloudtrail_updatesamlprovider.yml | 1 - data_sources/aws_cloudtrail_updatetrail.yml | 1 - ...concurrent_sessions_from_different_ips.yml | 4 +-- .../cloud/asl_aws_create_access_key.yml | 4 +-- ..._policy_version_to_allow_all_resources.yml | 4 +-- ..._aws_credential_access_getpassworddata.yml | 6 ++-- ...s_credential_access_rds_password_reset.yml | 6 ++-- ..._aws_defense_evasion_delete_cloudtrail.yml | 6 ++-- ...se_evasion_delete_cloudwatch_log_group.yml | 6 ++-- ...fense_evasion_impair_security_services.yml | 4 +-- ...aws_defense_evasion_putbucketlifecycle.yml | 4 +-- ...efense_evasion_stop_logging_cloudtrail.yml | 10 +++--- ..._aws_defense_evasion_update_cloudtrail.yml | 10 +++--- ...g_keys_with_encrypt_policy_without_mfa.yml | 4 +-- .../asl_aws_disable_bucket_versioning.yml | 8 ++--- ...asl_aws_ec2_snapshot_shared_externally.yml | 8 ++--- ...ontainer_upload_outside_business_hours.yml | 4 +-- ..._aws_ecr_container_upload_unknown_user.yml | 6 ++-- ..._aws_iam_accessdenied_discovery_events.yml | 2 +- ...aws_iam_assume_role_policy_brute_force.yml | 2 +- .../cloud/asl_aws_iam_delete_policy.yml | 4 +-- .../asl_aws_iam_failure_group_deletion.yml | 8 ++--- .../asl_aws_iam_successful_group_deletion.yml | 4 +-- ...s_multi_factor_authentication_disabled.yml | 2 +- ...ntrol_list_created_with_all_open_ports.yml | 6 ++-- ...ws_network_access_control_list_deleted.yml | 8 ++--- ...aws_new_mfa_method_registered_for_user.yml | 4 +-- .../asl_aws_saml_update_identity_provider.yml | 8 ++--- .../cloud/asl_aws_updateloginprofile.yml | 8 ++--- ...ttribute_modification_for_exfiltration.yml | 31 ++++++++--------- ...concurrent_sessions_from_different_ips.yml | 28 +++++++++------- ...sole_login_failed_during_mfa_challenge.yml | 24 +++++++------- ..._policy_version_to_allow_all_resources.yml | 16 +++++---- detections/cloud/aws_createaccesskey.yml | 13 ++++---- detections/cloud/aws_createloginprofile.yml | 33 ++++++++++--------- .../aws_credential_access_failed_login.yml | 13 ++++---- .../aws_credential_access_getpassworddata.yml | 29 ++++++++-------- ...s_credential_access_rds_password_reset.yml | 15 +++++---- .../aws_defense_evasion_delete_cloudtrail.yml | 22 ++++++------- ...se_evasion_delete_cloudwatch_log_group.yml | 22 ++++++------- ...fense_evasion_impair_security_services.yml | 8 ++--- ...aws_defense_evasion_putbucketlifecycle.yml | 11 ++++--- ...efense_evasion_stop_logging_cloudtrail.yml | 22 ++++++------- .../aws_defense_evasion_update_cloudtrail.yml | 22 ++++++------- ...g_keys_with_encrypt_policy_without_mfa.yml | 21 +++++++----- ...ctivity_from_previously_unseen_account.yml | 2 +- .../aws_detect_attach_to_role_policy.yml | 2 +- .../aws_detect_permanent_key_creation.yml | 2 +- .../aws_detect_role_creation.yml | 2 +- .../aws_detect_sts_assume_role_abuse.yml | 2 +- ...aws_detect_sts_get_session_token_abuse.yml | 2 +- 98 files changed, 256 insertions(+), 285 deletions(-) rename detections/{cloud => deprecated}/aws_cross_account_activity_from_previously_unseen_account.yml (99%) rename detections/{cloud => deprecated}/aws_detect_attach_to_role_policy.yml (98%) rename detections/{cloud => deprecated}/aws_detect_permanent_key_creation.yml (98%) rename detections/{cloud => deprecated}/aws_detect_role_creation.yml (98%) rename detections/{cloud => deprecated}/aws_detect_sts_assume_role_abuse.yml (98%) rename detections/{cloud => deprecated}/aws_detect_sts_get_session_token_abuse.yml (98%) diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml index 7b0fe94375..9e08d84798 100644 --- a/data_sources/aws_cloudtrail.yml +++ b/data_sources/aws_cloudtrail.yml @@ -16,7 +16,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml index 1e084d3f2a..3c2a905232 100644 --- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml +++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml @@ -129,7 +129,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml index a0e6ac0ab0..263694b211 100644 --- a/data_sources/aws_cloudtrail_consolelogin.yml +++ b/data_sources/aws_cloudtrail_consolelogin.yml @@ -105,7 +105,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml index 8a18f7196b..318202537e 100644 --- a/data_sources/aws_cloudtrail_copyobject.yml +++ b/data_sources/aws_cloudtrail_copyobject.yml @@ -122,7 +122,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml index ba52e7cc49..9e42026ff5 100644 --- a/data_sources/aws_cloudtrail_createaccesskey.yml +++ b/data_sources/aws_cloudtrail_createaccesskey.yml @@ -106,7 +106,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml index 559d8f6805..0e01a7bb8b 100644 --- a/data_sources/aws_cloudtrail_createkey.yml +++ b/data_sources/aws_cloudtrail_createkey.yml @@ -153,7 +153,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml index 62e8a84d9e..a5aaea6793 100644 --- a/data_sources/aws_cloudtrail_createloginprofile.yml +++ b/data_sources/aws_cloudtrail_createloginprofile.yml @@ -105,7 +105,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml index 0b6513a87b..365fe3b792 100644 --- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml @@ -124,7 +124,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml index a6bc2e77fa..89c31170da 100644 --- a/data_sources/aws_cloudtrail_createpolicyversion.yml +++ b/data_sources/aws_cloudtrail_createpolicyversion.yml @@ -109,7 +109,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml index 4f15149046..70681ecc8a 100644 --- a/data_sources/aws_cloudtrail_createsnapshot.yml +++ b/data_sources/aws_cloudtrail_createsnapshot.yml @@ -121,7 +121,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml index f32fbe482a..c33b7d6b91 100644 --- a/data_sources/aws_cloudtrail_createtask.yml +++ b/data_sources/aws_cloudtrail_createtask.yml @@ -124,7 +124,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml index fcde36eecb..cf9f8511c2 100644 --- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml +++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml @@ -103,7 +103,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml index ffd2cce1a4..d7465131cf 100644 --- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml +++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml @@ -103,7 +103,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml index 2e8b539ce8..8701363910 100644 --- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml @@ -103,7 +103,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml index 7710191a7d..069e02421b 100644 --- a/data_sources/aws_cloudtrail_deletealarms.yml +++ b/data_sources/aws_cloudtrail_deletealarms.yml @@ -144,7 +144,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml index 9f458387e9..721570e91c 100644 --- a/data_sources/aws_cloudtrail_deletedetector.yml +++ b/data_sources/aws_cloudtrail_deletedetector.yml @@ -101,7 +101,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml index bcd6b53f7b..8c14a6af7a 100644 --- a/data_sources/aws_cloudtrail_deletegroup.yml +++ b/data_sources/aws_cloudtrail_deletegroup.yml @@ -105,7 +105,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml index 7300dd3775..9031ea53b4 100644 --- a/data_sources/aws_cloudtrail_deleteipset.yml +++ b/data_sources/aws_cloudtrail_deleteipset.yml @@ -102,7 +102,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml index 8bd1c24727..7f982ceb0e 100644 --- a/data_sources/aws_cloudtrail_deleteloggroup.yml +++ b/data_sources/aws_cloudtrail_deleteloggroup.yml @@ -103,7 +103,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml index 23ac7d5217..52181969ea 100644 --- a/data_sources/aws_cloudtrail_deletelogstream.yml +++ b/data_sources/aws_cloudtrail_deletelogstream.yml @@ -104,7 +104,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml index 3a81b49a5c..8005c82155 100644 --- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml @@ -113,7 +113,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml index 362f8d64b0..040473b3a6 100644 --- a/data_sources/aws_cloudtrail_deletepolicy.yml +++ b/data_sources/aws_cloudtrail_deletepolicy.yml @@ -105,7 +105,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml index da5c248eb7..2f3232bfb5 100644 --- a/data_sources/aws_cloudtrail_deleterule.yml +++ b/data_sources/aws_cloudtrail_deleterule.yml @@ -105,7 +105,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml index f5d7b3e37b..e0155c74a8 100644 --- a/data_sources/aws_cloudtrail_deletesnapshot.yml +++ b/data_sources/aws_cloudtrail_deletesnapshot.yml @@ -148,7 +148,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml index bbd8895df7..4ec1ef90ba 100644 --- a/data_sources/aws_cloudtrail_deletetrail.yml +++ b/data_sources/aws_cloudtrail_deletetrail.yml @@ -101,7 +101,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml index 65b63154e3..b87142f029 100644 --- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml +++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml @@ -103,7 +103,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml index fa5f221fe4..0ce614a7cb 100644 --- a/data_sources/aws_cloudtrail_deletewebacl.yml +++ b/data_sources/aws_cloudtrail_deletewebacl.yml @@ -105,7 +105,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml index f5d9d3481a..21cc14e3cd 100644 --- a/data_sources/aws_cloudtrail_describeeventaggregates.yml +++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml @@ -100,7 +100,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml index 4c7474123b..61bddc3712 100644 --- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml +++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml @@ -898,7 +898,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml index a0bab6ed21..2b4c7429bb 100644 --- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml @@ -102,7 +102,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml index f4d8f6a98d..aab598c1bc 100644 --- a/data_sources/aws_cloudtrail_getobject.yml +++ b/data_sources/aws_cloudtrail_getobject.yml @@ -116,7 +116,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml index 0ecc4a9853..84ea9af5d4 100644 --- a/data_sources/aws_cloudtrail_getpassworddata.yml +++ b/data_sources/aws_cloudtrail_getpassworddata.yml @@ -118,7 +118,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml index 2cfd2a971e..54fc24344d 100644 --- a/data_sources/aws_cloudtrail_jobcreated.yml +++ b/data_sources/aws_cloudtrail_jobcreated.yml @@ -87,7 +87,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml index 0099164677..fa58fd422b 100644 --- a/data_sources/aws_cloudtrail_modifydbinstance.yml +++ b/data_sources/aws_cloudtrail_modifydbinstance.yml @@ -196,7 +196,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml index 2ed3f141ac..700a603c98 100644 --- a/data_sources/aws_cloudtrail_modifyimageattribute.yml +++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml @@ -111,7 +111,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml index 984eed009c..04afe923ed 100644 --- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml +++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml @@ -104,7 +104,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml index dd9244bcaa..ef98930c84 100644 --- a/data_sources/aws_cloudtrail_putbucketacl.yml +++ b/data_sources/aws_cloudtrail_putbucketacl.yml @@ -119,7 +119,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml index 3bf8e3044a..dad863d22e 100644 --- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml +++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml @@ -123,7 +123,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml index 29af5a9296..c45101b958 100644 --- a/data_sources/aws_cloudtrail_putbucketreplication.yml +++ b/data_sources/aws_cloudtrail_putbucketreplication.yml @@ -144,7 +144,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml index 98d0b3bbb1..de4fc45953 100644 --- a/data_sources/aws_cloudtrail_putbucketversioning.yml +++ b/data_sources/aws_cloudtrail_putbucketversioning.yml @@ -132,7 +132,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml index 6767023899..62fa6781ac 100644 --- a/data_sources/aws_cloudtrail_putimage.yml +++ b/data_sources/aws_cloudtrail_putimage.yml @@ -154,7 +154,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml index 673cfe26ba..24e1f88029 100644 --- a/data_sources/aws_cloudtrail_putkeypolicy.yml +++ b/data_sources/aws_cloudtrail_putkeypolicy.yml @@ -135,7 +135,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml index 96ccbb6f6b..66dcc640fe 100644 --- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml @@ -121,7 +121,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml index 45f6c59184..8bac67962d 100644 --- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml +++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml @@ -102,7 +102,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml index 05bab8be43..0f8bcd81a8 100644 --- a/data_sources/aws_cloudtrail_stoplogging.yml +++ b/data_sources/aws_cloudtrail_stoplogging.yml @@ -98,7 +98,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml index cd2b197c3a..d536a6047d 100644 --- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml @@ -110,7 +110,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml index c412ba3d29..e4b9518169 100644 --- a/data_sources/aws_cloudtrail_updateloginprofile.yml +++ b/data_sources/aws_cloudtrail_updateloginprofile.yml @@ -100,7 +100,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml index 89da13bbb3..78f8971df6 100644 --- a/data_sources/aws_cloudtrail_updatesamlprovider.yml +++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml @@ -190,7 +190,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml index 8d4215f3ad..2353f80b41 100644 --- a/data_sources/aws_cloudtrail_updatetrail.yml +++ b/data_sources/aws_cloudtrail_updatetrail.yml @@ -110,7 +110,6 @@ output_fields: - dest - user - user_agent -- status - src - vendor_account - vendor_region diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index e31576cdea..fb3ba01e71 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -12,7 +12,7 @@ search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoi | bin span=5m _time | stats min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -43,7 +43,7 @@ rba: type: user score: 42 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index d609bae9cf..16755e6555 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index 2c8a070d64..e77c0c5a9c 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -14,8 +14,8 @@ search: '`amazon_security_lake` api.operation=CreatePolicy | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_policy_version_to_allow_all_resources_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index fd67f6a248..77e92bc93a 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -11,8 +11,8 @@ data_source: search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region instanceId - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region instanceId + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -36,7 +36,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 43eb93499f..0ee29d8570 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -12,8 +12,8 @@ search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation= | spath input=api.request.data | search masterUserPassword=* | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -36,7 +36,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 19c72070dd..3b580e286e 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -39,7 +39,7 @@ rba: type: user score: 90 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 8a86a89fb6..74adabc4c2 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -39,7 +39,7 @@ rba: type: user score: 90 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 70bfc7529f..8d47e58a44 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 5b27c1a62c..5ea1801468 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -13,8 +13,8 @@ search: '`amazon_security_lake` api.operation=PutBucketLifecycle | where NoncurrentDays < 3 | spath input=api.request.data | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region NoncurrentDays bucketName - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region NoncurrentDays bucketName + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index d6f9045a75..d448478afe 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=StopLogging | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -33,14 +33,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ - from IP $src_ip$ + message: User $user$ has stopped Cloudtrail logging for account id $vendor_account$ + from IP $src$ risk_objects: - field: user type: user score: 90 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 3995e0c40c..004514e06e 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -33,14 +33,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ has updated a cloudtrail logging for account id $aws_account_id$ - from IP $src_ip$ + message: User $user$ has updated a cloudtrail logging for account id $vendor_account$ + from IP $src$ risk_objects: - field: user type: user score: 90 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 93a23128da..ab1abd48c4 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -19,8 +19,8 @@ search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=Crea | search action=kms* | regex principal="\*" | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' how_to_implement: The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index 223bca5edb..57a0b89df8 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -13,8 +13,8 @@ search: '`amazon_security_lake` api.operation=PutBucketVersioning | spath input=api.request.data path=bucketName output=bucketName | search Status=Suspended | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_disable_bucket_versioning_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. @@ -31,13 +31,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src_ip$ + message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src$ risk_objects: - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index 9e0bc3e14f..80b5e266b4 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -12,8 +12,8 @@ search: '`amazon_security_lake` api.operation=ModifySnapshotAttribute | spath input=api.request.data path=createVolumePermission.add.items{}.group output=group | search group=all | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ec2_snapshot_shared_externally_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. @@ -31,13 +31,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS EC2 snapshot from user $user$ is shared publicly by user $user$ + message: AWS EC2 snapshot from user $user$ is shared publicly risk_objects: - field: user type: user score: 48 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index a306e628a9..372f16b9b2 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -12,8 +12,8 @@ search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 8188395258..311e4dabdf 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -39,7 +39,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index 065f517035..62fc5f0c3e 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -12,7 +12,7 @@ search: '`amazon_security_lake` api.response.error=AccessDenied OR api.response. | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region by _time actor.user.uid | where failures >= 5 AND dc_operation >= 1 AND dc_service >= 1 - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_accessdenied_discovery_events_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index b8dafe5438..7dba8a15a4 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -12,7 +12,7 @@ search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"= | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region by _time actor.user.uid | where failures >= 3 - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_assume_role_policy_brute_force_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 19be206901..65352ab7f3 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 94669184e7..736061d5cd 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. @@ -35,13 +35,13 @@ drilldown_searches: latest_offset: $info_max_time$ rba: message: User $user$ has had mulitple failures while attempting to delete groups - from $src_ip$ + from $src$ risk_objects: - field: user type: user score: 5 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 14299b57b1..56cbda4ca9 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 7f5b84b0b7..9dc31b9856 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -10,7 +10,7 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index df1507f1a0..55b7f40389 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -16,8 +16,8 @@ search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.opera | spath input=api.request.data path=networkAclId output=networkAclId | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId cidrBlock - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId cidrBlock + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. @@ -38,7 +38,7 @@ rba: type: user score: 48 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index 74d6930168..37ca6542eb 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -13,8 +13,8 @@ search: '`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Succe | spath input=api.request.data path=networkAclId output=networkAclId | search egress=false | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_deleted_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It's possible that a user has legitimately deleted a network ACL. @@ -29,13 +29,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ from $src_ip$ has sucessfully deleted network ACLs entry. + message: User $user$ from $src$ has sucessfully deleted network ACLs entry. risk_objects: - field: user type: user score: 5 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 210f875259..719531bfa0 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml index 8d17300500..b0e1b7215d 100644 --- a/detections/cloud/asl_aws_saml_update_identity_provider.yml +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateSAMLProvider | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_saml_update_identity_provider_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. @@ -30,13 +30,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ from IP address $src_ip$ updated the SAML provider + message: User $user$ from IP address $src$ updated the SAML provider risk_objects: - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index 72df96e825..a49de5d3b7 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateLoginProfile | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_updateloginprofile_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. @@ -28,13 +28,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ from IP address $src_ip$ updated the login profile of another user + message: User $user$ from IP address $src$ updated the login profile of another user risk_objects: - field: user type: user score: 30 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index dbe7760777..cd1cbfff5e 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -15,13 +15,14 @@ description: The following analytic detects suspicious modifications to AWS AMI could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information. search: '`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId - = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group - as group_added | rename requestParameters.launchPermission.add.items{}.userId as - accounts_added | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not - Public") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) - values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName - userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`' + = * OR requestParameters.launchPermission.add.items{}.group = all) + | rename requestParameters.launchPermission.add.items{}.group as group_added + | rename requestParameters.launchPermission.add.items{}.userId as accounts_added + | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public") + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) as group_added values(accounts_added) as accounts_added values(ami_status) as ami_status by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS admin has legitimately shared a @@ -31,12 +32,12 @@ references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/ - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -45,14 +46,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ - from $src_ip$ or AMI made is made Public. + message: AWS AMI from account $vendor_account$ is shared externally with $accounts_added$ + from $src$ or AMI made is made Public. risk_objects: - - field: user_arn + - field: user type: user score: 80 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index fe2a6912a7..86f240062a 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -15,10 +15,14 @@ description: The following analytic identifies an AWS IAM account with concurren exploitation within the AWS environment. data_source: - AWS CloudTrail DescribeEventAggregates -search: '`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" | - bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as - src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count - > 1 | `aws_concurrent_sessions_from_different_ips_filter`' +search: '`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" + | bin span=5m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats min(_time) as firstTime max(_time) as lastTime values(user_agent) as user_agent values(action) as action values(src) as src values(dest) as dest dc(src) as distinct_ip_count by _time user vendor_account vendor_region vendor_product + | where distinct_ip_count > 1 + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + | `aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: A user with concurrent sessions from different Ips may also @@ -29,12 +33,12 @@ references: - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ - https://github.com/kgretzky/evilginx2 drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,14 +47,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has concurrent sessions from more than one unique IP address - $src_ip$ in the span of 5 minutes. + message: User $user$ has concurrent sessions from more than one unique IP address + $src$ in the span of 5 minutes. risk_objects: - - field: user_arn + - field: user type: user score: 42 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index 7938f15e75..b260818853 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -15,11 +15,13 @@ description: The following analytic identifies failed authentication attempts to attacks if MFA is bypassed. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" - additionalEventData.MFAUsed = "Yes" | stats count min(_time) as firstTime max(_time) - as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent - eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`' +search: '`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product additionalEventData.MFAUsed errorMessage + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `aws_console_login_failed_during_mfa_challenge_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: Legitimate users may miss to reply the MFA challenge within @@ -28,12 +30,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for - "$user_name$" - search: '%original_detection_search% | search user_name = "$user_name$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -42,10 +44,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ failed to pass MFA challenge while logging into console + message: User $user$ failed to pass MFA challenge while logging into console from $src$ risk_objects: - - field: user_name + - field: user type: user score: 64 threat_objects: diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index 5f46f6eb98..dac90e0d88 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -14,13 +14,15 @@ description: The following analytic identifies the creation of a new AWS IAM pol to unauthorized actions, data exfiltration, or further compromise of the AWS environment. data_source: - AWS CloudTrail CreatePolicyVersion -search: '`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com - errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements - path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements - output=key_policy_action_1 path=Action | where key_policy_action_1 = "*" | stats - count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) - as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID - awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`' +search: '`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success + | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} + | mvexpand key_policy_statements + | spath input=key_policy_statements output=key_policy_action_1 path=Action + | where key_policy_action_1 = "*" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_create_policy_version_to_allow_all_resources_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index 5e4a3636e3..3c72c9c31c 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -14,12 +14,13 @@ description: The following analytic identifies the creation of AWS IAM access ke access to AWS services, data exfiltration, and long-term persistence in the environment. data_source: - AWS CloudTrail CreateAccessKey -search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com - errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) - | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by - requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent - eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`' +search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success + | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) + | search match=0 + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index d72c2ed8a9..bc3cb88f17 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -14,13 +14,16 @@ description: The following analytic identifies the creation of a login profile f to escalate privileges and maintain persistent access to the AWS environment. data_source: - AWS CloudTrail CreateLoginProfile AND AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName - as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | - join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | - rename userIdentity.userName as new_login_profile | stats count values(eventName) - min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode - userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile - src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] +search: '`cloudtrail` eventName = CreateLoginProfile + | rename requestParameters.userName as new_login_profile + | table src_ip eventName new_login_profile userIdentity.userName + | join new_login_profile src_ip + [| search `cloudtrail` eventName = ConsoleLogin + | rename userIdentity.userName as new_login_profile + | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" | `aws_createloginprofile_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -30,12 +33,12 @@ references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -44,14 +47,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ is attempting to create a login profile for $new_login_profile$ - and did a console login from this IP $src_ip$ + message: User $user$ is attempting to create a login profile for $new_login_profile$ + and did a console login from this IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 72 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 7b19d32062..aaa7569c67 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -14,13 +14,12 @@ description: The following analytic identifies unsuccessful login attempts to th resources, leading to data breaches, resource manipulation, or further exploitation within the AWS environment. data_source: -- AWS CloudTrail -search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from - datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn - Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature - Authentication.dest Authentication.user Authentication.action Authentication.user_id - Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `aws_credential_access_failed_login_filter`' +- AWS CloudTrail ConsoleLogin +search: '`cloudtrail` eventName = ConsoleLogin errorMessage="Failed authentication" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: Users may genuinely mistype or forget the password. diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index 24b5b4f9f6..170fdde488 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -15,11 +15,14 @@ description: The following analytic identifies more than 10 GetPasswordData API further compromise of the AWS environment. data_source: - AWS CloudTrail GetPasswordData -search: '`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin - _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) - as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by - aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids - > 10 | `aws_credential_access_getpassworddata_filter`' +search: '`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com + | bin _time span=5m + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime dc(requestParameters.instanceId) as distinct_instance_ids by action dest user user_agent src vendor_account vendor_region vendor_product + | where distinct_instance_ids > 10 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_credential_access_getpassworddata_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment. @@ -29,12 +32,12 @@ references: - https://attack.mitre.org/techniques/T1552/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,14 +46,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to - instance ids $instance_ids$ from IP $src_ip$ + message: User $user$ is seen to make mulitple `GetPasswordData` API calls to + instance ids $instance_ids$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index 16d5d8fce2..3a6944955f 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -16,21 +16,22 @@ description: The following analytic detects the resetting of the master user pas data_source: - AWS CloudTrail ModifyDBInstance search: '`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* - | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) - as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: Users may genuinely reset the RDS password. references: - https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds drilldown_searches: -- name: View the detection results for - "$database_id$" - search: '%original_detection_search% | search database_id = "$database_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$database_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$database_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index 15acf34a9a..1d102cfe42 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -15,11 +15,11 @@ description: The following analytic detects the deletion of AWS CloudTrail logs leading to prolonged unauthorized access and further exploitation. data_source: - AWS CloudTrail DeleteTrail -search: '`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com - userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as - firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name - by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`' +search: '`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible @@ -27,12 +27,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ + message: User $user$ has delete a CloudTrail logging for account id $vendor_account$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 90 threat_objects: diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index 50d8d4f9f7..433be7ed2c 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -15,11 +15,11 @@ description: The following analytic detects the deletion of CloudWatch log group within the compromised AWS environment. data_source: - AWS CloudTrail DeleteLogGroup -search: '`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com - userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as - firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name - by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`' +search: '`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible @@ -27,12 +27,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ + message: User $user$ has deleted a CloudWatch logging group for account id $vendor_account$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 90 threat_objects: diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index 1f05298c2f..56396339d9 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -23,10 +23,10 @@ data_source: - AWS CloudTrail DeleteLoggingConfiguration - AWS CloudTrail DeleteAlarms search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") - | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as - eventName values(eventSource) as eventSource values(requestParameters.*) as * by - src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index 4d98499ce9..4ab83f87de 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -15,11 +15,12 @@ description: The following analytic detects `PutBucketLifecycle` events in AWS C data_source: - AWS CloudTrail PutBucketLifecycle search: '`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success - | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days - output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name - | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName - userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`' + | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days + | spath path=requestParameters{}.bucketName output=bucket_name + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name expiration_days + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_defense_evasion_putbucketlifecycle_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index e59c2100ae..edd310461a 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -15,11 +15,11 @@ description: The following analytic detects `StopLogging` events in AWS CloudTra to unauthorized access or data exfiltration. data_source: - AWS CloudTrail StopLogging -search: '`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com - userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as - firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name - by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`' +search: '`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent!=console.amazonaws.com errorCode = success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name expiration_days + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible @@ -27,12 +27,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ + message: User $user_arn$ has stopped Cloudtrail logging for account id $vendor_account$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 90 threat_objects: diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index 89559d06de..a82c946d23 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -15,11 +15,11 @@ description: The following analytic detects `UpdateTrail` events in AWS CloudTra security of the AWS environment. data_source: - AWS CloudTrail UpdateTrail -search: '`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com - userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as - firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name - by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`' +search: '`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name expiration_days + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible @@ -27,12 +27,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ + message: User $user_arn$ has updated a cloudtrail logging for account id $vendor_account$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 90 threat_objects: diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index c5241c74bc..7662059987 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -16,15 +16,18 @@ description: The following analytic detects the creation of AWS KMS keys with an data_source: - AWS CloudTrail CreateKey - AWS CloudTrail PutKeyPolicy -search: '`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy - output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | - spath input=key_policy_statements output=key_policy_action_1 path=Action | spath - input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, - key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal - path=Principal.AWS | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" - | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource - eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' +search: '`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy + | spath input=requestParameters.policy output=key_policy_statements path=Statement{} + | mvexpand key_policy_statements + | spath input=key_policy_statements output=key_policy_action_1 path=Action + | spath input=key_policy_statements output=key_policy_action_2 path=Action{} + | eval key_policy_action=mvappend(key_policy_action_1,key_policy_action_2) + | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS + | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product key_policy_action key_policy_principal + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs known_false_positives: unknown diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml similarity index 99% rename from detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml rename to detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml index 709d1872fe..b0f0ceda0b 100644 --- a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml +++ b/detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml @@ -3,7 +3,7 @@ id: 21193641-cb96-4a2c-a707-d9b9a7f7792b version: 4 date: '2024-11-14' author: Rico Valdez, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity diff --git a/detections/cloud/aws_detect_attach_to_role_policy.yml b/detections/deprecated/aws_detect_attach_to_role_policy.yml similarity index 98% rename from detections/cloud/aws_detect_attach_to_role_policy.yml rename to detections/deprecated/aws_detect_attach_to_role_policy.yml index b3b55c8829..15cd19619d 100644 --- a/detections/cloud/aws_detect_attach_to_role_policy.yml +++ b/detections/deprecated/aws_detect_attach_to_role_policy.yml @@ -3,7 +3,7 @@ id: 88fc31dd-f331-448c-9856-d3d51dd5d3a1 version: 4 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` diff --git a/detections/cloud/aws_detect_permanent_key_creation.yml b/detections/deprecated/aws_detect_permanent_key_creation.yml similarity index 98% rename from detections/cloud/aws_detect_permanent_key_creation.yml rename to detections/deprecated/aws_detect_permanent_key_creation.yml index 49c164d0b4..351dea6701 100644 --- a/detections/cloud/aws_detect_permanent_key_creation.yml +++ b/detections/deprecated/aws_detect_permanent_key_creation.yml @@ -3,7 +3,7 @@ id: 12d6d713-3cb4-4ffc-a064-1dca3d1cca01 version: 4 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` diff --git a/detections/cloud/aws_detect_role_creation.yml b/detections/deprecated/aws_detect_role_creation.yml similarity index 98% rename from detections/cloud/aws_detect_role_creation.yml rename to detections/deprecated/aws_detect_role_creation.yml index 068b428177..830b7c96a6 100644 --- a/detections/cloud/aws_detect_role_creation.yml +++ b/detections/deprecated/aws_detect_role_creation.yml @@ -3,7 +3,7 @@ id: 5f04081e-ddee-4353-afe4-504f288de9ad version: 4 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic identifies the creation of new IAM roles by users in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action diff --git a/detections/cloud/aws_detect_sts_assume_role_abuse.yml b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml similarity index 98% rename from detections/cloud/aws_detect_sts_assume_role_abuse.yml rename to detections/deprecated/aws_detect_sts_assume_role_abuse.yml index 4a67dd42fc..21aa5e16fb 100644 --- a/detections/cloud/aws_detect_sts_assume_role_abuse.yml +++ b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml @@ -3,7 +3,7 @@ id: 8e565314-b6a2-46d8-9f05-1a34a176a662 version: 4 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, diff --git a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml similarity index 98% rename from detections/cloud/aws_detect_sts_get_session_token_abuse.yml rename to detections/deprecated/aws_detect_sts_get_session_token_abuse.yml index 0ff88c17b8..41055eee3e 100644 --- a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml @@ -3,7 +3,7 @@ id: 85d7b35f-b8b5-4b01-916f-29b81e7a0551 version: 4 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, From 8b1b30e1e76120cdd8e3344b3097dd7071b64027 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 3 Feb 2025 13:20:43 +0100 Subject: [PATCH 03/15] bug fix --- .../cloud/asl_aws_concurrent_sessions_from_different_ips.yml | 2 +- detections/cloud/asl_aws_create_access_key.yml | 2 +- .../asl_aws_create_policy_version_to_allow_all_resources.yml | 2 +- .../cloud/asl_aws_credential_access_getpassworddata.yml | 2 +- .../cloud/asl_aws_credential_access_rds_password_reset.yml | 2 +- .../cloud/asl_aws_defense_evasion_delete_cloudtrail.yml | 2 +- .../asl_aws_defense_evasion_delete_cloudwatch_log_group.yml | 2 +- .../asl_aws_defense_evasion_impair_security_services.yml | 2 +- .../cloud/asl_aws_defense_evasion_putbucketlifecycle.yml | 2 +- .../cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml | 2 +- .../cloud/asl_aws_defense_evasion_update_cloudtrail.yml | 2 +- ...ct_users_creating_keys_with_encrypt_policy_without_mfa.yml | 2 +- detections/cloud/asl_aws_disable_bucket_versioning.yml | 2 +- detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml | 2 +- .../asl_aws_ecr_container_upload_outside_business_hours.yml | 2 +- .../cloud/asl_aws_ecr_container_upload_unknown_user.yml | 2 +- .../cloud/asl_aws_iam_accessdenied_discovery_events.yml | 2 +- .../cloud/asl_aws_iam_assume_role_policy_brute_force.yml | 2 +- detections/cloud/asl_aws_iam_delete_policy.yml | 2 +- detections/cloud/asl_aws_iam_failure_group_deletion.yml | 2 +- detections/cloud/asl_aws_iam_successful_group_deletion.yml | 2 +- ...etwork_access_control_list_created_with_all_open_ports.yml | 2 +- .../cloud/asl_aws_network_access_control_list_deleted.yml | 2 +- .../cloud/asl_aws_new_mfa_method_registered_for_user.yml | 2 +- detections/cloud/asl_aws_saml_update_identity_provider.yml | 2 +- detections/cloud/asl_aws_updateloginprofile.yml | 2 +- detections/cloud/aws_createloginprofile.yml | 2 +- .../cloud/aws_defense_evasion_stop_logging_cloudtrail.yml | 4 ++-- detections/cloud/aws_defense_evasion_update_cloudtrail.yml | 4 ++-- 29 files changed, 31 insertions(+), 31 deletions(-) diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index fb3ba01e71..31d8a82fd8 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -12,7 +12,7 @@ search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoi | bin span=5m _time | stats min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index 16755e6555..73b08dda9c 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index e77c0c5a9c..0086cea8e7 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -15,7 +15,7 @@ search: '`amazon_security_lake` api.operation=CreatePolicy | regex Statement{}.Resource="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_policy_version_to_allow_all_resources_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index 77e92bc93a..a0fe0401a9 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -12,7 +12,7 @@ search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region instanceId - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 0ee29d8570..899584f0cc 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -13,7 +13,7 @@ search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation= | search masterUserPassword=* | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 3b580e286e..5507ac4215 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 74adabc4c2..98ab6e90e2 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 8d47e58a44..7c5648607f 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 5ea1801468..0ae40eb99c 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -14,7 +14,7 @@ search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region NoncurrentDays bucketName - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index d448478afe..ee0e30e0c5 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 004514e06e..71566a60c8 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index ab1abd48c4..587c97d919 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -20,7 +20,7 @@ search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=Crea | regex principal="\*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' how_to_implement: The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index 57a0b89df8..32b08c3e6e 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -14,7 +14,7 @@ search: '`amazon_security_lake` api.operation=PutBucketVersioning | search Status=Suspended | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_disable_bucket_versioning_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index 80b5e266b4..d43f8289a8 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -13,7 +13,7 @@ search: '`amazon_security_lake` api.operation=ModifySnapshotAttribute | search group=all | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ec2_snapshot_shared_externally_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index 372f16b9b2..f0209b1bb8 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -13,7 +13,7 @@ search: '`amazon_security_lake` api.operation=PutImage | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 311e4dabdf..008b5054b1 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index 62fc5f0c3e..065f517035 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -12,7 +12,7 @@ search: '`amazon_security_lake` api.response.error=AccessDenied OR api.response. | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region by _time actor.user.uid | where failures >= 5 AND dc_operation >= 1 AND dc_service >= 1 - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_accessdenied_discovery_events_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index 7dba8a15a4..b8dafe5438 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -12,7 +12,7 @@ search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"= | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region by _time actor.user.uid | where failures >= 3 - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_assume_role_policy_brute_force_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 65352ab7f3..1d89b2772d 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 736061d5cd..fd80b5fa9a 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 56cbda4ca9..398e5277bb 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index 55b7f40389..4f4e0a8858 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -17,7 +17,7 @@ search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.opera | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId cidrBlock - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index 37ca6542eb..9d36c77f7c 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -14,7 +14,7 @@ search: '`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Succe | search egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_deleted_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It's possible that a user has legitimately deleted a network ACL. diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 719531bfa0..4103f8c34b 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml index b0e1b7215d..31ea6bb635 100644 --- a/detections/cloud/asl_aws_saml_update_identity_provider.yml +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=UpdateSAMLProvider | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_saml_update_identity_provider_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index a49de5d3b7..00305b0fe4 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -11,7 +11,7 @@ data_source: search: '`amazon_security_lake` api.operation=UpdateLoginProfile | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region - | rename actor.user.uid as user api.operation as action action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_updateloginprofile_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index bc3cb88f17..d72b8caace 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -22,7 +22,7 @@ search: '`cloudtrail` eventName = CreateLoginProfile | rename userIdentity.userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] - | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | rename eventName as action, eventSource as dest, user_arn as user, userAgent as user_agent, src_ip as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region | eval vendor_product = "AWS" | `aws_createloginprofile_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index edd310461a..f27ee4fc56 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -18,7 +18,7 @@ data_source: search: '`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent!=console.amazonaws.com errorCode = success | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region | eval vendor_product = "AWS" - | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name expiration_days + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. @@ -41,7 +41,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has stopped Cloudtrail logging for account id $vendor_account$ + message: User $user$ has stopped Cloudtrail logging for account id $vendor_account$ from IP $src$ risk_objects: - field: user diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index a82c946d23..3cecf7eaef 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -18,7 +18,7 @@ data_source: search: '`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region | eval vendor_product = "AWS" - | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name expiration_days + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. @@ -41,7 +41,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has updated a cloudtrail logging for account id $vendor_account$ + message: User $user$ has updated a cloudtrail logging for account id $vendor_account$ from IP $src$ risk_objects: - field: user From ed8e3bf84217a2e7491cbe2d4cfa8d63cae6f2ea Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Mon, 3 Feb 2025 20:26:34 +0100 Subject: [PATCH 04/15] aws detections --- ...with_kms_keys_performing_encryption_s3.yml | 11 +++---- .../cloud/aws_disable_bucket_versioning.yml | 24 +++++++------- .../aws_ec2_snapshot_shared_externally.yml | 31 +++++++++++-------- ...s_ecr_container_scanning_findings_high.yml | 23 +++++++------- ...ing_findings_low_informational_unknown.yml | 27 ++++++++-------- ...ecr_container_scanning_findings_medium.yml | 25 ++++++++------- ...ontainer_upload_outside_business_hours.yml | 12 ++++--- .../aws_ecr_container_upload_unknown_user.yml | 12 ++++--- .../cloud/aws_excessive_security_scanning.yml | 14 +++++---- ...n_via_anomalous_getobject_api_activity.yml | 24 ++++++++------ .../aws_exfiltration_via_batch_service.yml | 23 +++++++------- ...ws_exfiltration_via_bucket_replication.yml | 16 +++++----- .../aws_exfiltration_via_datasync_task.yml | 23 +++++++------- .../aws_exfiltration_via_ec2_snapshot.yml | 30 +++++++++--------- ...ber_of_failed_authentications_for_user.yml | 26 +++++++++------- ...mber_of_failed_authentications_from_ip.yml | 24 ++++++++------ .../aws_iam_accessdenied_discovery_events.yml | 25 ++++++++------- ...aws_iam_assume_role_policy_brute_force.yml | 24 +++++++------- detections/cloud/aws_iam_delete_policy.yml | 10 +++--- .../cloud/aws_iam_failure_group_deletion.yml | 23 +++++++------- .../aws_iam_successful_group_deletion.yml | 10 +++--- .../cloud/aws_lambda_updatefunctioncode.yml | 9 +++--- ...s_multi_factor_authentication_disabled.yml | 25 ++++++++------- ..._multiple_failed_mfa_requests_for_user.yml | 23 ++++++++------ ..._users_failing_to_authenticate_from_ip.yml | 24 ++++++++------ ...ntrol_list_created_with_all_open_ports.yml | 25 +++++++-------- ...ws_network_access_control_list_deleted.yml | 20 ++++++------ ...aws_new_mfa_method_registered_for_user.yml | 23 +++++++------- .../cloud/aws_password_policy_changes.yml | 10 +++--- .../aws_saml_update_identity_provider.yml | 23 +++++++------- .../cloud/aws_setdefaultpolicyversion.yml | 20 ++++++------ ...nsole_authentication_from_multiple_ips.yml | 26 +++++++++------- ...uccessful_single_factor_authentication.yml | 19 ++++++------ ...mber_of_failed_authentications_from_ip.yml | 13 +++++--- ..._access_by_provider_user_and_principal.yml | 2 +- 35 files changed, 375 insertions(+), 324 deletions(-) rename detections/{cloud => deprecated}/aws_saml_access_by_provider_user_and_principal.yml (99%) diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index 074c3883c1..2576eb67b4 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -15,12 +15,11 @@ description: The following analytic identifies users with KMS keys performing en data_source: - AWS CloudTrail search: '`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms" - | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source - AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime - max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file - values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS - region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`' + | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucketName src_file dest_file + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_detect_users_with_kms_keys_performing_encryption_s3_filter`' how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs known_false_positives: There maybe buckets provisioned with S3 encryption diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index 8fd550eba5..91c6bdb5f8 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -15,10 +15,10 @@ description: The following analytic detects when AWS S3 bucket versioning is sus lead to data loss and hinder recovery efforts, severely impacting data integrity and availability. search: '`cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended - | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) - as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn - userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `aws_disable_bucket_versioning_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region, requestParameters.bucketName as bucket_name + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_disable_bucket_versioning_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS Administrator has legitimately disabled @@ -27,12 +27,12 @@ references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,14 +41,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ - from IP address $src_ip$ + message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user$ + from IP address $src$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index 8b0bed9a24..9ceada3e2c 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -15,11 +15,16 @@ description: The following analytic detects when an EC2 snapshot is shared with of the compromised information. data_source: - AWS CloudTrail ModifySnapshotAttribute -search: '`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId - as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No - Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id - aws_account_id match vendor_region user_agent userIdentity.principalId | where match - = "No Match" | `aws_ec2_snapshot_shared_externally_filter`' +search: '`cloudtrail` eventName=ModifySnapshotAttribute + | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id + | search requested_account_id != NULL + | eval match=if(requested_account_id==aws_account_id,"Match","No Match") + | where match = "No Match" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_ec2_snapshot_shared_externally_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS admin has legitimately shared a @@ -29,12 +34,12 @@ references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,14 +48,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ - by user $user_arn$ from $src_ip$ + message: AWS EC2 snapshot from account $vendor_account$ is shared with $requested_account_id$ + by user $user$ from $src$ risk_objects: - - field: user_arn + - field: user type: user score: 48 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml index 2d8b0c01a9..5f40b0b040 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml @@ -17,13 +17,14 @@ description: The following analytic identifies high-severity findings from AWS E data_source: - AWS CloudTrail DescribeImageScanFindings search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings - | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand - findings | spath input=findings | search severity=HIGH | rename name as finding_name, - description as finding_description, requestParameters.imageId.imageDigest as imageDigest, - requestParameters.repositoryName as repository, userIdentity.principalId as user - | eval finding = finding_name.", ".finding_description | eval phase="release" | - eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, - eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity + | spath path=responseElements.imageScanFindings.findings{} output=findings + | mvexpand findings + | spath input=findings + | search severity=HIGH + | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product finding_name finding_description imageDigest repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -31,12 +32,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for - "$repository$" - search: '%original_detection_search% | search repository = "$repository$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index 12c75e5cdc..8bf693c0bc 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -16,14 +16,15 @@ description: The following analytic identifies low, informational, or unknown se data_source: - AWS CloudTrail DescribeImageScanFindings search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings - | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand - findings | spath input=findings| search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") - | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest - as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId - as user | eval finding = finding_name.", ".finding_description | eval phase="release" - | eval severity="low" | stats min(_time) as firstTime max(_time) as lastTime by - awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, - phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | spath path=responseElements.imageScanFindings.findings{} output=findings + | mvexpand findings + | spath input=findings + | search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") + | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product finding_name finding_description imageDigest repository + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -31,12 +32,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for - "$repository$" - search: '%original_detection_search% | search repository = "$repository$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -45,7 +46,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Vulnerabilities with severity $severity$ found in repository $repository$ + message: Vulnerabilities found in repository $repository$ risk_objects: - field: user type: user diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index 74e533680f..d732567aef 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -16,13 +16,14 @@ description: The following analytic identifies medium-severity findings from AWS data_source: - AWS CloudTrail DescribeImageScanFindings search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings - | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand - findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, - description as finding_description, requestParameters.imageId.imageDigest as imageDigest, - requestParameters.repositoryName as repository, userIdentity.principalId as user| - eval finding = finding_name.", ".finding_description | eval phase="release" | eval - severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, - eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity + | spath path=responseElements.imageScanFindings.findings{} output=findings + | mvexpand findings + | spath input=findings + | search severity=MEDIUM + | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product finding_name finding_description imageDigest repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -30,12 +31,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for - "$repository$" - search: '%original_detection_search% | search repository = "$repository$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -44,7 +45,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Vulnerabilities with severity $severity$ found in repository $repository$ + message: Vulnerabilities with severity medium found in repository $repository$ risk_objects: - field: user type: user diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index 0f3a5de777..c149a22641 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -16,10 +16,12 @@ description: The following analytic detects the upload of a new container image data_source: - AWS CloudTrail PutImage search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 - OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* - as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" - | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, - eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity + OR date_hour<8 OR date_wday=saturday OR date_wday=sunday + | rename requestParameters.* as * + | rename repositoryName AS repository + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -48,7 +50,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index bdb09cde4c..1e411914ac 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -15,10 +15,12 @@ description: The following analytic detects the upload of a new container image data_source: - AWS CloudTrail PutImage search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` - | rename requestParameters.* as * | rename repositoryName AS image | eval phase="release" - | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by - awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, - image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | rename requestParameters.* as * + | rename repositoryName AS image + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product image + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -46,7 +48,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index 777ddb58a0..1c6050e42f 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -14,11 +14,13 @@ description: The following analytic identifies excessive security scanning activ exploitation of your cloud infrastructure. data_source: - AWS CloudTrail -search: '`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | - stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime - values(eventName) as command values(src) as src values(userAgent) as userAgent by - user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`' +search: '`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name + | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(action) as action values(dest) as dest values(user_agent) as user_agent values(src) as src values(vendor_account) as vendor_account values(vendor_region) as vendor_region by user + | where dc_events > 50 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives. @@ -40,7 +42,7 @@ drilldown_searches: latest_offset: $info_max_time$ rba: message: User $user$ has excessive number of api calls $dc_events$ from these IP - addresses $src$, violating the threshold of 50, using the following commands $command$. + addresses $src$, violating the threshold of 50, using the following actions $action$. risk_objects: - field: user type: user diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index 76a669be53..eb303bc8cf 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -14,9 +14,13 @@ description: The following analytic identifies anomalous GetObject API activity within a 10-minute window. This activity is significant as it may indicate unauthorized data access or exfiltration from S3 buckets. If confirmed malicious, attackers could exfiltrate sensitive data, leading to data breaches and compliance violations. -search: '`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) - as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId - | anomalydetection "count" "user_type" "user_arn" action=annotate | search probable_cause=* +search: '`cloudtrail` eventName=GetObject + | bin _time span=10m + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count values(requestParameters.bucketName) as bucketName by action dest user user_agent src vendor_account vendor_region vendor_product + | anomalydetection "count" "user" action=annotate + | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -28,12 +32,12 @@ references: - https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection - https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -42,13 +46,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Anomalous S3 activities detected by user $user_arn$ from $src_ip$ + message: Anomalous S3 activities detected by user $user$ from $src$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index 5e36251cd2..19aa6238f6 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -14,10 +14,11 @@ description: The following analytic identifies the creation of AWS Batch jobs th to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information. -search: '`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime - max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) - as status by src_ip aws_account_id eventName errorCode userAgent | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`' +search: '`cloudtrail` eventName = JobCreated + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS Administrator or a user has legitimately @@ -26,12 +27,12 @@ references: - https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/ - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -40,13 +41,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$ + message: AWS Batch Job is created on account id - $vendor_account$ from src_ip $src$ risk_objects: - - field: aws_account_id + - field: user type: other score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index 496174416a..179031ab5c 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -15,10 +15,10 @@ description: The following analytic detects API calls to enable S3 bucket replic could replicate sensitive data to external accounts, leading to data breaches and compliance violations. search: '`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com - | rename requestParameters.* as * | stats count values(bucketName) as source_bucket - values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) - as destination_bucket by _time user_arn userName user_type src_ip aws_account_id - userIdentity.principalId user_agent | `aws_exfiltration_via_bucket_replication_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region, requestParameters.bucketName as bucket_name + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_bucket_replication_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS admin has legitimately implemented @@ -42,14 +42,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ - by user $user_arn$ from IP Address - $src_ip$ + message: AWS Bucket Replication rule added to $bucket_name$ + by user $user$ from IP Address - $src$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index 74dd45c149..a2f4b5a625 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -15,10 +15,11 @@ description: The following analytic detects the creation of an AWS DataSync task this could result in unauthorized access to sensitive information, causing severe data breaches and compliance violations. search: '`cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com" - | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) - as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn - sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' + | rename requestParameters.* as * + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product destinationLocationArn sourceLocationArn + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS Administrator has legitimately created @@ -29,11 +30,11 @@ references: - https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/ drilldown_searches: - name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -42,14 +43,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: DataSync task created on account id - $aws_account_id$ by user $user_arn$ - from src_ip $src_ip$ + message: DataSync task created on account id - $vendor_account$ by user $user$ + from src_ip $src$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 713d7de058..05a54a10c5 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -18,12 +18,14 @@ description: The following analytic detects a series of AWS API calls related to externally. If confirmed malicious, the attacker could gain access to sensitive information stored in the snapshots, leading to data breaches and potential compliance violations. -search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", - "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" - | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) - as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) - as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip - aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`' +search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" + | bin _time span=5m + | eval vendor_product = "AWS" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | stats count dc(eventName) as distinct_api_calls values(action) as action values(dest) as dest values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(user_agent) as user_agent by _time user src vendor_account vendor_region vendor_product + | where distinct_api_calls >= 2 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_exfiltration_via_ec2_snapshot_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust @@ -37,12 +39,12 @@ references: - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 - https://stratus-red-team.cloud/attack-techniques/list/ drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -51,14 +53,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ - by user $userName$ from src_ip $src_ip$ + message: Potential AWS EC2 Exfiltration detected on account id - $vendor_account$ + by user $user$ from src_ip $src$ risk_objects: - - field: userName + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 577fbd911f..6777e6e2e0 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -14,10 +14,14 @@ description: The following analytic detects an AWS account experiencing more tha the threshold based on their specific environment to reduce false positives. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time - | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) - by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts - > 20 | `aws_high_number_of_failed_authentications_for_user_filter`' +search: '`cloudtrail` eventName=ConsoleLogin action=failure + | bucket span=10m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(_raw) AS failed_attempts values(src) as src values(user_agent) as user_agent by _time, user, action, dest, vendor_account vendor_region, vendor_product + | where failed_attempts > 20 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_high_number_of_failed_authentications_for_user_filter`' how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: A user with more than 20 failed authentication attempts in @@ -25,12 +29,12 @@ known_false_positives: A user with more than 20 failed authentication attempts i references: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html drilldown_searches: -- name: View the detection results for - "$user_name$" - search: '%original_detection_search% | search user_name = "$user_name$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -39,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ failed to authenticate more than 20 times in the span - of 5 minutes for AWS Account $aws_account_id$ + message: User $user$ failed to authenticate more than 20 times in the span + of 5 minutes for AWS Account $vendor_account$ risk_objects: - - field: user_name + - field: user type: user score: 35 threat_objects: [] diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index 58d7a9e5e7..3e38e84d86 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -14,10 +14,14 @@ description: The following analytic detects an IP address with 20 or more failed of AWS resources. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time - | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) - by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts - > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`' +search: '`cloudtrail` eventName=ConsoleLogin action=failure + | bucket span=10m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(_raw) AS failed_attempts values(user) as user values(user_agent) as user_agent by _time, src, action, dest, vendor_account vendor_region, vendor_product + | where failed_attempts > 20 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_high_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. @@ -28,12 +32,12 @@ references: - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ - https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/ drilldown_searches: -- name: View the detection results for - "$tried_accounts$" - search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,9 +47,9 @@ drilldown_searches: latest_offset: $info_max_time$ rba: message: 'Multiple failed console login attempts (Count: $failed_attempts$) against - users from IP Address - $src_ip$' + users from IP Address - $src$' risk_objects: - - field: tried_accounts + - field: user type: user score: 54 threat_objects: [] diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index b35a8f0526..218b4bc3aa 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -15,10 +15,13 @@ description: The following analytic identifies excessive AccessDenied events wit data_source: - AWS CloudTrail search: '`cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com) - | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) - as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, - _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`' + | bucket _time span=1h + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(action) as methods, dc(dest) as sources values(action) as action values(dest) as dest by src, user, vendor_account vendor_region, vendor_product + | where failures >= 5 and methods >= 1 and sources >= 1 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_iam_accessdenied_discovery_events_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: It is possible to start this detection will need to be tuned @@ -27,12 +30,12 @@ known_false_positives: It is possible to start this detection will need to be tu references: - https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/ drilldown_searches: -- name: View the detection results for - "$userIdentity.arn$" - search: '%original_detection_search% | search userIdentity.arn = "$userIdentity.arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$userIdentity.arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,14 +44,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $userIdentity.arn$ is seen to perform excessive number of discovery + message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. risk_objects: - - field: userIdentity.arn + - field: user type: user score: 10 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index 53c734eb11..0b595a5870 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -15,12 +15,12 @@ description: The following analytic detects multiple failed attempts to assume a data and services. data_source: - AWS CloudTrail -search: '`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure - (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as - lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource - aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion - userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`' +search: '`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src, user, vendor_account vendor_region, vendor_product, action, dest, errorCode + | where count >= 2 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment. @@ -32,12 +32,12 @@ references: - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ - https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -46,10 +46,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has caused multiple failures with errorCode $errorCode$, + message: User $user$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name. risk_objects: - - field: user_arn + - field: user type: user score: 28 threat_objects: diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index 3ce2296eff..74233d20e2 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -15,11 +15,11 @@ description: The following analytic detects the deletion of an IAM policy in AWS the integrity and security of the AWS environment. data_source: - AWS CloudTrail DeletePolicy -search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats - count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) - as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage - userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`' +search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: This detection will require tuning to provide high fidelity diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index b69c6f006d..e2b4419e01 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -15,12 +15,11 @@ description: The following analytic identifies failed attempts to delete AWS IAM within the AWS environment. data_source: - AWS CloudTrail DeleteGroup -search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode - IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) - | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) - as group_name by src eventName eventSource aws_account_id errorCode errorMessage - userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`' +search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: This detection will require tuning to provide high fidelity @@ -31,12 +30,12 @@ references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -45,10 +44,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has had mulitple failures while attempting to delete groups + message: User $user$ has had mulitple failures while attempting to delete groups from $src$ risk_objects: - - field: user_arn + - field: user type: user score: 5 threat_objects: diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index 82f8c5e8fb..1a2148d81b 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -15,11 +15,11 @@ description: The following analytic identifies the successful deletion of an IAM to assess the broader context. data_source: - AWS CloudTrail DeleteGroup -search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success - (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as - lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource - errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`' +search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: This detection will require tuning to provide high fidelity diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index a56d5651f3..2267460f07 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -14,10 +14,11 @@ description: The following analytic identifies IAM users attempting to update or compromising the integrity and security of your AWS infrastructure. data_source: - AWS CloudTrail -search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode - = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as - lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn - user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`' +search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_lambda_updatefunctioncode_filter`' how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index 827af91c86..b89c7e2a31 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -16,9 +16,10 @@ data_source: - AWS CloudTrail DeleteVirtualMFADevice - AWS CloudTrail DeactivateMFADevice search: '`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) - | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource - aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: AWS Administrators may disable MFA but it is highly unlikely @@ -27,14 +28,14 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for - "$aws_account_id$" and "$user_name$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$" - user_name = "$user_name$"' +- name: View the detection results for - "$vendor_account$" and "$user$" + search: '%original_detection_search% | search vendor_account = "$vendor_account$" + user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" and "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$", - "$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) +- name: View risk events for the last 7 days for - "$vendor_account$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$vendor_account$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" @@ -42,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ has disabled Multi-Factor authentication for AWS account - $aws_account_id$ + message: User $user$ has disabled Multi-Factor authentication for AWS account + $vendor_account$ risk_objects: - - field: user_name + - field: user type: user score: 64 threat_objects: diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 0e087f273c..21fdb98624 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -14,10 +14,13 @@ description: The following analytic identifies multiple failed multi-factor auth AWS environment, potentially compromising sensitive data and resources. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed - authentication" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) - as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName - errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`' +search: '`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed authentication" + | bucket span=5m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(_raw) as mfa_prompts min(_time) as firstTime max(_time) as lastTime values(user_agent) as user_agent values(src) as src by _time user dest action vendor_account vendor_region vendor_product errorMessage _time + | where mfa_prompts > 10 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: Multiple Failed MFA requests may also be a sign of authentication @@ -26,12 +29,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for - "$user_name$" - search: '%original_detection_search% | search user_name = "$user_name$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -40,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ is seen to have high number of MFA prompt failures within + message: User $user$ is seen to have high number of MFA prompt failures within a short period of time. risk_objects: - - field: user_name + - field: user type: user score: 64 threat_objects: diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 7fdb466244..150384cac1 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -15,9 +15,13 @@ description: The following analytic identifies a single source IP failing to aut environment. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time - | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by - _time, src_ip | where unique_accounts>30 | `aws_multiple_users_failing_to_authenticate_from_ip_filter`' +search: '`cloudtrail` eventName=ConsoleLogin action=failure + | bucket span=10m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(user) AS unique_accounts values(user) as user values(user_agent) as user_agent by _time, src, action, dest, vendor_account, vendor_region, vendor_product + | where unique_accounts>30 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. @@ -28,12 +32,12 @@ references: - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ - https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/ drilldown_searches: -- name: View the detection results for - "$tried_accounts$" - search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,13 +47,13 @@ drilldown_searches: latest_offset: $info_max_time$ rba: message: 'Multiple failed console login attempts (Count: $unique_accounts$) against - users from IP Address - $src_ip$' + users from IP Address - $src$' risk_objects: - - field: tried_accounts + - field: user type: user score: 54 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index 9c3254ca93..8af0e77fd5 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -16,16 +16,15 @@ description: The following analytic detects the creation of AWS Network Access C data_source: - AWS CloudTrail CreateNetworkAclEntry - AWS CloudTrail ReplaceNetworkAclEntry -search: "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry - requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 +search: "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' - | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) - as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction - requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to - requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`" + | where port_range>1024] + | fillnull + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from requestParameters.cidrBlock + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`" how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs. @@ -34,12 +33,12 @@ known_false_positives: It's possible that an admin has created this ACL with all in production environment. references: [] drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -48,10 +47,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has created network ACLs with all the ports open to a specified + message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ risk_objects: - - field: user_arn + - field: user type: user score: 48 threat_objects: diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index 8499371040..ccd5fde705 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -15,9 +15,11 @@ description: The following analytic detects the deletion of AWS Network Access C data_source: - AWS CloudTrail DeleteNetworkAclEntry search: '`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn - userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`' + | fillnull + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. @@ -25,12 +27,12 @@ known_false_positives: It's possible that a user has legitimately deleted a netw ACL. references: [] drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -39,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= + message: User $user$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere risk_objects: - - field: user_arn + - field: user type: user score: 5 threat_objects: diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 1891036414..cdc3aa8e56 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -14,10 +14,11 @@ description: The following analytic detects the registration of a new Multi-Fact potentially leading to further unauthorized activities and data breaches. data_source: - AWS CloudTrail CreateVirtualMFADevice -search: '`cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) - as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource - aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn - src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`cloudtrail` eventName=CreateVirtualMFADevice + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region, requestParameters.virtualMFADeviceName as virtualMFADeviceName + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product virtualMFADeviceName + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`' how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs. @@ -29,12 +30,12 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://twitter.com/jhencinski/status/1618660062352007174 drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,13 +44,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ + message: A new virtual device $virtualMFADeviceName$ is added to user $user$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index a9c930cfca..ee9ad706e1 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -17,11 +17,11 @@ data_source: - AWS CloudTrail UpdateAccountPasswordPolicy - AWS CloudTrail GetAccountPasswordPolicy - AWS CloudTrail DeleteAccountPasswordPolicy -search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") - errorCode=success | stats count values(eventName) as eventName values(userAgent) - min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion - userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`' +search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`' how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index c92114d370..ffc4fe6e41 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -15,10 +15,11 @@ description: The following analytic detects updates to the SAML provider in AWS. data. data_source: - AWS CloudTrail UpdateSAMLProvider -search: '`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime - max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn - userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId - userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` +search: '`cloudtrail` eventName=UpdateSAMLProvider + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -30,12 +31,12 @@ references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf - https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps drilldown_searches: -- name: View the detection results for - "$userIdentity.principalId$" - search: '%original_detection_search% | search userIdentity.principalId = "$userIdentity.principalId$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$userIdentity.principalId$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.principalId$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -44,14 +45,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged + message: User $user$ from IP address $src$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ risk_objects: - - field: userIdentity.principalId + - field: user type: user score: 64 threat_objects: - - field: sourceIPAddress + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index b927809aa5..e92be7f908 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -15,10 +15,10 @@ description: The following analytic detects when a user sets a default policy ve data_source: - AWS CloudTrail SetDefaultPolicyVersion search: '`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com - | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) - as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id - errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives, it is possible @@ -29,12 +29,12 @@ references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: From IP address $src$, user $user_arn$ has trigged an event $eventName$ + message: From IP address $src$, user $user$ has trigged an action $action$ for updating the the default policy version risk_objects: - - field: user_arn + - field: user type: user score: 30 threat_objects: diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 558280bf33..2012c14846 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -14,9 +14,13 @@ description: The following analytic detects an AWS account successfully authenti resources, leading to data breaches or further exploitation within the AWS environment. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) - as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) - as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`' +search: '`cloudtrail` eventName = ConsoleLogin + | bin span=5m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(src) as distinct_ip_count values(src) as src values(user_agent) as user_agent by _time, user, action, dest, vendor_account, vendor_region, vendor_product + | where distinct_ip_count>1 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_console_authentication_from_multiple_ips_filter`' how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. known_false_positives: A user with successful authentication events from different @@ -25,12 +29,12 @@ known_false_positives: A user with successful authentication events from differe references: - https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -39,14 +43,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has successfully logged into the AWS Console from different - IP addresses $src_ip$ within 5 mins + message: User $user$ has successfully logged into the AWS Console from different + IP addresses $src$ within 5 mins risk_objects: - - field: user_arn + - field: user type: user score: 72 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index 0e3b986294..48b5508c32 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -15,9 +15,10 @@ description: The following analytic identifies a successful Console Login authen data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No - | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource - aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion - user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. @@ -28,12 +29,12 @@ references: - https://attack.mitre.org/techniques/T1078/004/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for - "$user_name$" - search: '%original_detection_search% | search user_name = "$user_name$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -42,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ has successfully logged into an AWS Console without Multi-Factor + message: User $user$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$ risk_objects: - - field: user_name + - field: user type: user score: 64 threat_objects: diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index 6e86b15927..f7700eb340 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -14,11 +14,14 @@ description: The following analytic identifies a single source IP failing to aut unauthorized access, data breaches, or further exploitation within the AWS environment. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time - | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, - src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) - as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts - > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`' +search: '`cloudtrail` eventName=ConsoleLogin action=failure + | bucket span=10m _time + | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip + | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time + | eval upperBound=(avg_attempts+ip_std*3) + | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) + | where isOutlier = 1 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_unusual_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml similarity index 99% rename from detections/cloud/aws_saml_access_by_provider_user_and_principal.yml rename to detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml index 15f1a67871..b2214e952e 100644 --- a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml +++ b/detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml @@ -3,7 +3,7 @@ id: bbe23980-6019-11eb-ae93-0242ac130002 version: 4 date: '2024-11-14' author: Rod Soto, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic identifies specific SAML access events by a service provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs From 969ba0fb65a8cad5febe6422add60109b6cbcead Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 4 Feb 2025 11:47:09 +0100 Subject: [PATCH 05/15] all test passed --- detections/cloud/aws_excessive_security_scanning.yml | 4 ++-- detections/cloud/aws_exfiltration_via_batch_service.yml | 1 + detections/cloud/aws_exfiltration_via_ec2_snapshot.yml | 2 +- .../cloud/aws_multiple_failed_mfa_requests_for_user.yml | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index 1c6050e42f..da1afbefa5 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -15,10 +15,10 @@ description: The following analytic identifies excessive security scanning activ data_source: - AWS CloudTrail search: '`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* + | fillnull | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region | eval vendor_product = "AWS" - | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name - | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(action) as action values(dest) as dest values(user_agent) as user_agent values(src) as src values(vendor_account) as vendor_account values(vendor_region) as vendor_region by user + | stats dc(action) as dc_events min(_time) as firstTime max(_time) as lastTime values(action) as action values(dest) as dest values(user_agent) as user_agent values(src) as src values(vendor_account) as vendor_account values(vendor_region) as vendor_region by user | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index 19aa6238f6..cff6f8cad3 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -15,6 +15,7 @@ description: The following analytic identifies the creation of AWS Batch jobs th could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information. search: '`cloudtrail` eventName = JobCreated + | fillnull | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region | eval vendor_product = "AWS" | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 05a54a10c5..1d23327ab1 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -22,7 +22,7 @@ search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute | bin _time span=5m | eval vendor_product = "AWS" | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region - | stats count dc(eventName) as distinct_api_calls values(action) as action values(dest) as dest values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(user_agent) as user_agent by _time user src vendor_account vendor_region vendor_product + | stats count dc(action) as distinct_api_calls values(action) as action values(dest) as dest values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(user_agent) as user_agent by _time user src vendor_account vendor_region vendor_product | where distinct_api_calls >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_ec2_snapshot_filter`' diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 21fdb98624..7b9cb77a36 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -18,7 +18,7 @@ search: '`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes | bucket span=5m _time | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region | eval vendor_product = "AWS" - | stats dc(_raw) as mfa_prompts min(_time) as firstTime max(_time) as lastTime values(user_agent) as user_agent values(src) as src by _time user dest action vendor_account vendor_region vendor_product errorMessage _time + | stats dc(_raw) as mfa_prompts min(_time) as firstTime max(_time) as lastTime values(user_agent) as user_agent values(src) as src by _time user dest action vendor_account vendor_region vendor_product errorMessage | where mfa_prompts > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search From 1a3f332ac7a8fc500fd06870e9690b9b26430b74 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 18 Feb 2025 09:57:11 +0100 Subject: [PATCH 06/15] version bump --- .../cloud/asl_aws_concurrent_sessions_from_different_ips.yml | 2 +- ...tect_users_creating_keys_with_encrypt_policy_without_mfa.yml | 2 +- detections/cloud/asl_aws_disable_bucket_versioning.yml | 2 +- detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml | 2 +- detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml | 2 +- detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml | 2 +- detections/cloud/asl_aws_iam_failure_group_deletion.yml | 2 +- .../cloud/aws_ami_attribute_modification_for_exfiltration.yml | 2 +- detections/cloud/aws_concurrent_sessions_from_different_ips.yml | 2 +- ...tect_users_creating_keys_with_encrypt_policy_without_mfa.yml | 2 +- detections/cloud/aws_exfiltration_via_ec2_snapshot.yml | 2 +- detections/cloud/aws_iam_accessdenied_discovery_events.yml | 2 +- detections/deprecated/asl_aws_excessive_security_scanning.yml | 2 +- detections/deprecated/asl_aws_password_policy_changes.yml | 2 +- detections/deprecated/aws_detect_attach_to_role_policy.yml | 2 +- detections/deprecated/aws_detect_role_creation.yml | 2 +- detections/deprecated/aws_detect_sts_assume_role_abuse.yml | 2 +- .../deprecated/aws_detect_sts_get_session_token_abuse.yml | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 31d8a82fd8..eaf8027900 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 6 +version: 7 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 587c97d919..9ad002d4d2 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,6 +1,6 @@ name: ASL AWS Detect Users creating keys with encrypt policy without MFA id: 16ae9076-d1d5-411c-8fdd-457504b33dac -version: 1 +version: 2 date: '2024-12-16' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index 32b08c3e6e..658ec386de 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ name: ASL AWS Disable Bucket Versioning id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc -version: 1 +version: 2 date: '2024-12-16' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index d43f8289a8..ddd4f088e5 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -1,6 +1,6 @@ name: ASL AWS EC2 Snapshot Shared Externally id: 00af8f7f-e004-446b-9bba-2732f717ae27 -version: 1 +version: 2 date: '2024-12-17' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index 065f517035..8108ed6e5b 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM AccessDenied Discovery Events id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2 -version: 1 +version: 2 date: '2025-01-08' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index b8dafe5438..760ec5d535 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Assume Role Policy Brute Force id: 726959fe-316d-445c-a584-fa187d64e295 -version: 1 +version: 2 date: '2025-01-08' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index fd80b5fa9a..f84ecec18c 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 6 +version: 7 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index cd1cbfff5e..1f1fd7d422 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -1,6 +1,6 @@ name: AWS AMI Attribute Modification for Exfiltration id: f2132d74-cf81-4c5e-8799-ab069e67dc9f -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 86f240062a..9787083dff 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: AWS Concurrent Sessions From Different Ips id: 51c04fdb-2746-465a-b86e-b413a09c9085 -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 7662059987..52c5bb40a6 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,6 +1,6 @@ name: AWS Detect Users creating keys with encrypt policy without MFA id: c79c164f-4b21-4847-98f9-cf6a9f49179e -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Patrick Bareiss Splunk status: production diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 1d23327ab1..29dcbe0b67 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via EC2 Snapshot id: ac90b339-13fc-4f29-a18c-4abbba1f2171 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index 218b4bc3aa..f3f2d7600f 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -1,6 +1,6 @@ name: AWS IAM AccessDenied Discovery Events id: 3e1f1568-9633-11eb-a69c-acde48001122 -version: 5 +version: 6 date: '2024-11-14' author: Michael Haag, Splunk status: production diff --git a/detections/deprecated/asl_aws_excessive_security_scanning.yml b/detections/deprecated/asl_aws_excessive_security_scanning.yml index 0ee3a463e3..c87ee0aa93 100644 --- a/detections/deprecated/asl_aws_excessive_security_scanning.yml +++ b/detections/deprecated/asl_aws_excessive_security_scanning.yml @@ -1,6 +1,6 @@ name: ASL AWS Excessive Security Scanning id: ff2bfdbc-65b7-4434-8f08-d55761d1d446 -version: 4 +version: 5 date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated diff --git a/detections/deprecated/asl_aws_password_policy_changes.yml b/detections/deprecated/asl_aws_password_policy_changes.yml index d791f17208..16ea57fca3 100644 --- a/detections/deprecated/asl_aws_password_policy_changes.yml +++ b/detections/deprecated/asl_aws_password_policy_changes.yml @@ -1,6 +1,6 @@ name: ASL AWS Password Policy Changes id: 5ade5937-11a2-4363-ba6b-39a3ee8d5b1a -version: 3 +version: 5 date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_attach_to_role_policy.yml b/detections/deprecated/aws_detect_attach_to_role_policy.yml index 15cd19619d..ddde29333c 100644 --- a/detections/deprecated/aws_detect_attach_to_role_policy.yml +++ b/detections/deprecated/aws_detect_attach_to_role_policy.yml @@ -1,6 +1,6 @@ name: aws detect attach to role policy id: 88fc31dd-f331-448c-9856-d3d51dd5d3a1 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_role_creation.yml b/detections/deprecated/aws_detect_role_creation.yml index 830b7c96a6..b60812c49c 100644 --- a/detections/deprecated/aws_detect_role_creation.yml +++ b/detections/deprecated/aws_detect_role_creation.yml @@ -1,6 +1,6 @@ name: aws detect role creation id: 5f04081e-ddee-4353-afe4-504f288de9ad -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_sts_assume_role_abuse.yml b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml index 21aa5e16fb..e83636a56d 100644 --- a/detections/deprecated/aws_detect_sts_assume_role_abuse.yml +++ b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml @@ -1,6 +1,6 @@ name: aws detect sts assume role abuse id: 8e565314-b6a2-46d8-9f05-1a34a176a662 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml index 41055eee3e..80ed8b1698 100644 --- a/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml @@ -1,6 +1,6 @@ name: aws detect sts get session token abuse id: 85d7b35f-b8b5-4b01-916f-29b81e7a0551 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated From 0a4e58f9cf3040cfb3812fd6a725b73375bfd48e Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 18 Feb 2025 10:06:29 +0100 Subject: [PATCH 07/15] version bump --- detections/cloud/asl_aws_iam_delete_policy.yml | 2 +- detections/cloud/asl_aws_saml_update_identity_provider.yml | 2 +- ...ws_cross_account_activity_from_previously_unseen_account.yml | 1 + .../aws_detect_users_with_kms_keys_performing_encryption_s3.yml | 2 +- detections/cloud/aws_disable_bucket_versioning.yml | 2 +- detections/cloud/aws_ec2_snapshot_shared_externally.yml | 2 +- detections/cloud/aws_excessive_security_scanning.yml | 2 +- .../aws_exfiltration_via_anomalous_getobject_api_activity.yml | 2 +- detections/cloud/aws_exfiltration_via_batch_service.yml | 2 +- detections/cloud/aws_exfiltration_via_bucket_replication.yml | 2 +- detections/cloud/aws_exfiltration_via_datasync_task.yml | 2 +- .../aws_high_number_of_failed_authentications_for_user.yml | 2 +- detections/cloud/aws_iam_assume_role_policy_brute_force.yml | 2 +- detections/cloud/aws_iam_delete_policy.yml | 2 +- detections/cloud/aws_iam_failure_group_deletion.yml | 2 +- detections/cloud/aws_lambda_updatefunctioncode.yml | 2 +- detections/cloud/aws_password_policy_changes.yml | 2 +- .../cloud/aws_saml_access_by_provider_user_and_principal.yml | 1 + detections/cloud/aws_saml_update_identity_provider.yml | 2 +- .../aws_successful_console_authentication_from_multiple_ips.yml | 2 +- detections/deprecated/aws_detect_permanent_key_creation.yml | 2 +- 21 files changed, 21 insertions(+), 19 deletions(-) create mode 100644 detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml create mode 100644 detections/cloud/aws_saml_access_by_provider_user_and_principal.yml diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 1d89b2772d..8e9d87425b 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Delete Policy id: 609ced68-d420-4ff7-8164-ae98b4b4018c -version: 5 +version: 6 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml index 31ea6bb635..4c0e69b93e 100644 --- a/detections/cloud/asl_aws_saml_update_identity_provider.yml +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -1,6 +1,6 @@ name: ASL AWS SAML Update identity provider id: 635c26cc-0fd1-4098-8ec9-824bf9544b11 -version: 1 +version: 2 date: '2025-01-09' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml new file mode 100644 index 0000000000..eb527f0e1c --- /dev/null +++ b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml @@ -0,0 +1 @@ +version: 5 \ No newline at end of file diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index 2576eb67b4..9296c2c437 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -1,6 +1,6 @@ name: AWS Detect Users with KMS keys performing encryption S3 id: 884a5f59-eec7-4f4a-948b-dbde18225fdc -version: 5 +version: 6 date: '2024-11-14' author: Rod Soto, Patrick Bareiss Splunk status: production diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index 91c6bdb5f8..633072c453 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ name: AWS Disable Bucket Versioning id: 657902a9-987d-4879-a1b2-e7a65512824b -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index 9ceada3e2c..b5b351c84d 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -1,6 +1,6 @@ name: AWS EC2 Snapshot Shared Externally id: 2a9b80d3-6340-4345-b5ad-290bf3d222c4 -version: 6 +version: 7 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index da1afbefa5..5451636bfb 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -1,6 +1,6 @@ name: AWS Excessive Security Scanning id: 1fdd164a-def8-4762-83a9-9ffe24e74d5a -version: 4 +version: 5 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index eb303bc8cf..ac279b1848 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via Anomalous GetObject API Activity id: e4384bbf-5835-4831-8d85-694de6ad2cc6 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index cff6f8cad3..4b76762dcb 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via Batch Service id: 04455dd3-ced7-480f-b8e6-5469b99e98e2 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index 179031ab5c..93c4a38b18 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via Bucket Replication id: eeb432d6-2212-43b6-9e89-fcd753f7da4c -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index a2f4b5a625..b0e454b109 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via DataSync Task id: 05c4b09f-ea28-4c7c-a7aa-a246f665c8a2 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 6777e6e2e0..d9afb8b908 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -1,6 +1,6 @@ name: AWS High Number Of Failed Authentications For User id: e3236f49-daf3-4b70-b808-9290912ac64d -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index 0b595a5870..5950c7d510 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -1,6 +1,6 @@ name: AWS IAM Assume Role Policy Brute Force id: f19e09b0-9308-11eb-b7ec-acde48001122 -version: 4 +version: 5 date: '2024-11-14' author: Michael Haag, Splunk status: production diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index 74233d20e2..9a1ff45d95 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -1,6 +1,6 @@ name: AWS IAM Delete Policy id: ec3a9362-92fe-11eb-99d0-acde48001122 -version: 4 +version: 5 date: '2024-11-14' author: Michael Haag, Splunk status: production diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index e2b4419e01..c2d7f3f6be 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -1,6 +1,6 @@ name: AWS IAM Failure Group Deletion id: 723b861a-92eb-11eb-93b8-acde48001122 -version: 6 +version: 7 date: '2024-11-14' author: Michael Haag, Splunk status: production diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index 2267460f07..cead07f377 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -1,6 +1,6 @@ name: AWS Lambda UpdateFunctionCode id: 211b80d3-6340-4345-11ad-212bf3d0d111 -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index ee9ad706e1..441a3eeec2 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -1,6 +1,6 @@ name: AWS Password Policy Changes id: aee4a575-7064-4e60-b511-246f9baf9895 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml new file mode 100644 index 0000000000..eb527f0e1c --- /dev/null +++ b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml @@ -0,0 +1 @@ +version: 5 \ No newline at end of file diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index ffc4fe6e41..63c9b1f306 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -1,6 +1,6 @@ name: AWS SAML Update identity provider id: 2f0604c6-6030-11eb-ae93-0242ac130002 -version: 5 +version: 6 date: '2024-11-14' author: Rod Soto, Splunk status: production diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 2012c14846..c159754c61 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -1,6 +1,6 @@ name: AWS Successful Console Authentication From Multiple IPs id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb -version: 6 +version: 7 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/deprecated/aws_detect_permanent_key_creation.yml b/detections/deprecated/aws_detect_permanent_key_creation.yml index 351dea6701..5f6070e970 100644 --- a/detections/deprecated/aws_detect_permanent_key_creation.yml +++ b/detections/deprecated/aws_detect_permanent_key_creation.yml @@ -1,6 +1,6 @@ name: aws detect permanent key creation id: 12d6d713-3cb4-4ffc-a064-1dca3d1cca01 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated From a75adf9558231c707e1487b8864c4e1f573a1bb3 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 18 Feb 2025 10:18:06 +0100 Subject: [PATCH 08/15] Revert "version bump" This reverts commit 1a3f332ac7a8fc500fd06870e9690b9b26430b74. --- .../cloud/asl_aws_concurrent_sessions_from_different_ips.yml | 2 +- ...tect_users_creating_keys_with_encrypt_policy_without_mfa.yml | 2 +- detections/cloud/asl_aws_disable_bucket_versioning.yml | 2 +- detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml | 2 +- detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml | 2 +- detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml | 2 +- detections/cloud/asl_aws_iam_failure_group_deletion.yml | 2 +- .../cloud/aws_ami_attribute_modification_for_exfiltration.yml | 2 +- detections/cloud/aws_concurrent_sessions_from_different_ips.yml | 2 +- ...tect_users_creating_keys_with_encrypt_policy_without_mfa.yml | 2 +- detections/cloud/aws_exfiltration_via_ec2_snapshot.yml | 2 +- detections/cloud/aws_iam_accessdenied_discovery_events.yml | 2 +- detections/deprecated/asl_aws_excessive_security_scanning.yml | 2 +- detections/deprecated/asl_aws_password_policy_changes.yml | 2 +- detections/deprecated/aws_detect_attach_to_role_policy.yml | 2 +- detections/deprecated/aws_detect_role_creation.yml | 2 +- detections/deprecated/aws_detect_sts_assume_role_abuse.yml | 2 +- .../deprecated/aws_detect_sts_get_session_token_abuse.yml | 2 +- 18 files changed, 18 insertions(+), 18 deletions(-) diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index eaf8027900..31d8a82fd8 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 7 +version: 6 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 9ad002d4d2..587c97d919 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,6 +1,6 @@ name: ASL AWS Detect Users creating keys with encrypt policy without MFA id: 16ae9076-d1d5-411c-8fdd-457504b33dac -version: 2 +version: 1 date: '2024-12-16' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index 658ec386de..32b08c3e6e 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ name: ASL AWS Disable Bucket Versioning id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc -version: 2 +version: 1 date: '2024-12-16' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index ddd4f088e5..d43f8289a8 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -1,6 +1,6 @@ name: ASL AWS EC2 Snapshot Shared Externally id: 00af8f7f-e004-446b-9bba-2732f717ae27 -version: 2 +version: 1 date: '2024-12-17' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index 8108ed6e5b..065f517035 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM AccessDenied Discovery Events id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2 -version: 2 +version: 1 date: '2025-01-08' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index 760ec5d535..b8dafe5438 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Assume Role Policy Brute Force id: 726959fe-316d-445c-a584-fa187d64e295 -version: 2 +version: 1 date: '2025-01-08' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index f84ecec18c..fd80b5fa9a 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 7 +version: 6 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index 1f1fd7d422..cd1cbfff5e 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -1,6 +1,6 @@ name: AWS AMI Attribute Modification for Exfiltration id: f2132d74-cf81-4c5e-8799-ab069e67dc9f -version: 6 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 9787083dff..86f240062a 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: AWS Concurrent Sessions From Different Ips id: 51c04fdb-2746-465a-b86e-b413a09c9085 -version: 6 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 52c5bb40a6..7662059987 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,6 +1,6 @@ name: AWS Detect Users creating keys with encrypt policy without MFA id: c79c164f-4b21-4847-98f9-cf6a9f49179e -version: 5 +version: 4 date: '2024-11-14' author: Rod Soto, Patrick Bareiss Splunk status: production diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 29dcbe0b67..1d23327ab1 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via EC2 Snapshot id: ac90b339-13fc-4f29-a18c-4abbba1f2171 -version: 5 +version: 4 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index f3f2d7600f..218b4bc3aa 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -1,6 +1,6 @@ name: AWS IAM AccessDenied Discovery Events id: 3e1f1568-9633-11eb-a69c-acde48001122 -version: 6 +version: 5 date: '2024-11-14' author: Michael Haag, Splunk status: production diff --git a/detections/deprecated/asl_aws_excessive_security_scanning.yml b/detections/deprecated/asl_aws_excessive_security_scanning.yml index c87ee0aa93..0ee3a463e3 100644 --- a/detections/deprecated/asl_aws_excessive_security_scanning.yml +++ b/detections/deprecated/asl_aws_excessive_security_scanning.yml @@ -1,6 +1,6 @@ name: ASL AWS Excessive Security Scanning id: ff2bfdbc-65b7-4434-8f08-d55761d1d446 -version: 5 +version: 4 date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated diff --git a/detections/deprecated/asl_aws_password_policy_changes.yml b/detections/deprecated/asl_aws_password_policy_changes.yml index 16ea57fca3..d791f17208 100644 --- a/detections/deprecated/asl_aws_password_policy_changes.yml +++ b/detections/deprecated/asl_aws_password_policy_changes.yml @@ -1,6 +1,6 @@ name: ASL AWS Password Policy Changes id: 5ade5937-11a2-4363-ba6b-39a3ee8d5b1a -version: 5 +version: 3 date: '2024-11-14' author: Patrick Bareiss, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_attach_to_role_policy.yml b/detections/deprecated/aws_detect_attach_to_role_policy.yml index ddde29333c..15cd19619d 100644 --- a/detections/deprecated/aws_detect_attach_to_role_policy.yml +++ b/detections/deprecated/aws_detect_attach_to_role_policy.yml @@ -1,6 +1,6 @@ name: aws detect attach to role policy id: 88fc31dd-f331-448c-9856-d3d51dd5d3a1 -version: 5 +version: 4 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_role_creation.yml b/detections/deprecated/aws_detect_role_creation.yml index b60812c49c..830b7c96a6 100644 --- a/detections/deprecated/aws_detect_role_creation.yml +++ b/detections/deprecated/aws_detect_role_creation.yml @@ -1,6 +1,6 @@ name: aws detect role creation id: 5f04081e-ddee-4353-afe4-504f288de9ad -version: 5 +version: 4 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_sts_assume_role_abuse.yml b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml index e83636a56d..21aa5e16fb 100644 --- a/detections/deprecated/aws_detect_sts_assume_role_abuse.yml +++ b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml @@ -1,6 +1,6 @@ name: aws detect sts assume role abuse id: 8e565314-b6a2-46d8-9f05-1a34a176a662 -version: 5 +version: 4 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml index 80ed8b1698..41055eee3e 100644 --- a/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml @@ -1,6 +1,6 @@ name: aws detect sts get session token abuse id: 85d7b35f-b8b5-4b01-916f-29b81e7a0551 -version: 5 +version: 4 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated From 3efcabd0996ecef7311e38e7f883d5b2d3bd8cc4 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 18 Feb 2025 10:25:33 +0100 Subject: [PATCH 09/15] Revert "version bump" This reverts commit 1a3f332ac7a8fc500fd06870e9690b9b26430b74. --- ...aws_cross_account_activity_from_previously_unseen_account.yml | 1 - .../cloud/aws_saml_access_by_provider_user_and_principal.yml | 1 - 2 files changed, 2 deletions(-) delete mode 100644 detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml delete mode 100644 detections/cloud/aws_saml_access_by_provider_user_and_principal.yml diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml deleted file mode 100644 index eb527f0e1c..0000000000 --- a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml +++ /dev/null @@ -1 +0,0 @@ -version: 5 \ No newline at end of file diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml deleted file mode 100644 index eb527f0e1c..0000000000 --- a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml +++ /dev/null @@ -1 +0,0 @@ -version: 5 \ No newline at end of file From e6ec9a99c51355ee2db4f40bdade2a9fb1e034e1 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 18 Feb 2025 11:11:15 +0100 Subject: [PATCH 10/15] version bump --- .../cloud/asl_aws_concurrent_sessions_from_different_ips.yml | 2 +- ...tect_users_creating_keys_with_encrypt_policy_without_mfa.yml | 2 +- detections/cloud/asl_aws_disable_bucket_versioning.yml | 2 +- detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml | 2 +- detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml | 2 +- detections/cloud/aws_concurrent_sessions_from_different_ips.yml | 2 +- ...tect_users_creating_keys_with_encrypt_policy_without_mfa.yml | 2 +- detections/cloud/aws_iam_accessdenied_discovery_events.yml | 2 +- detections/cloud/aws_saml_update_identity_provider.yml | 2 +- detections/deprecated/aws_detect_attach_to_role_policy.yml | 2 +- detections/deprecated/aws_detect_role_creation.yml | 2 +- detections/deprecated/aws_detect_sts_assume_role_abuse.yml | 2 +- .../deprecated/aws_detect_sts_get_session_token_abuse.yml | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index 31d8a82fd8..eaf8027900 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 6 +version: 7 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 587c97d919..9ad002d4d2 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,6 +1,6 @@ name: ASL AWS Detect Users creating keys with encrypt policy without MFA id: 16ae9076-d1d5-411c-8fdd-457504b33dac -version: 1 +version: 2 date: '2024-12-16' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index 32b08c3e6e..658ec386de 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ name: ASL AWS Disable Bucket Versioning id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc -version: 1 +version: 2 date: '2024-12-16' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index 065f517035..8108ed6e5b 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM AccessDenied Discovery Events id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2 -version: 1 +version: 2 date: '2025-01-08' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index b8dafe5438..760ec5d535 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Assume Role Policy Brute Force id: 726959fe-316d-445c-a584-fa187d64e295 -version: 1 +version: 2 date: '2025-01-08' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 86f240062a..9787083dff 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: AWS Concurrent Sessions From Different Ips id: 51c04fdb-2746-465a-b86e-b413a09c9085 -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 7662059987..52c5bb40a6 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,6 +1,6 @@ name: AWS Detect Users creating keys with encrypt policy without MFA id: c79c164f-4b21-4847-98f9-cf6a9f49179e -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Patrick Bareiss Splunk status: production diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index 218b4bc3aa..f3f2d7600f 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -1,6 +1,6 @@ name: AWS IAM AccessDenied Discovery Events id: 3e1f1568-9633-11eb-a69c-acde48001122 -version: 5 +version: 6 date: '2024-11-14' author: Michael Haag, Splunk status: production diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index 63c9b1f306..51e9b3ea04 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -1,6 +1,6 @@ name: AWS SAML Update identity provider id: 2f0604c6-6030-11eb-ae93-0242ac130002 -version: 6 +version: 7 date: '2024-11-14' author: Rod Soto, Splunk status: production diff --git a/detections/deprecated/aws_detect_attach_to_role_policy.yml b/detections/deprecated/aws_detect_attach_to_role_policy.yml index 15cd19619d..ddde29333c 100644 --- a/detections/deprecated/aws_detect_attach_to_role_policy.yml +++ b/detections/deprecated/aws_detect_attach_to_role_policy.yml @@ -1,6 +1,6 @@ name: aws detect attach to role policy id: 88fc31dd-f331-448c-9856-d3d51dd5d3a1 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_role_creation.yml b/detections/deprecated/aws_detect_role_creation.yml index 830b7c96a6..b60812c49c 100644 --- a/detections/deprecated/aws_detect_role_creation.yml +++ b/detections/deprecated/aws_detect_role_creation.yml @@ -1,6 +1,6 @@ name: aws detect role creation id: 5f04081e-ddee-4353-afe4-504f288de9ad -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_sts_assume_role_abuse.yml b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml index 21aa5e16fb..e83636a56d 100644 --- a/detections/deprecated/aws_detect_sts_assume_role_abuse.yml +++ b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml @@ -1,6 +1,6 @@ name: aws detect sts assume role abuse id: 8e565314-b6a2-46d8-9f05-1a34a176a662 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated diff --git a/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml index 41055eee3e..80ed8b1698 100644 --- a/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml @@ -1,6 +1,6 @@ name: aws detect sts get session token abuse id: 85d7b35f-b8b5-4b01-916f-29b81e7a0551 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated From 60e55f95c56b8003587af805c49a391a46b13da5 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 18 Feb 2025 11:18:15 +0100 Subject: [PATCH 11/15] version bump --- detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml | 2 +- .../cloud/aws_ami_attribute_modification_for_exfiltration.yml | 2 +- detections/cloud/aws_exfiltration_via_ec2_snapshot.yml | 2 +- ...ws_cross_account_activity_from_previously_unseen_account.yml | 2 +- .../aws_saml_access_by_provider_user_and_principal.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index d43f8289a8..ddd4f088e5 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -1,6 +1,6 @@ name: ASL AWS EC2 Snapshot Shared Externally id: 00af8f7f-e004-446b-9bba-2732f717ae27 -version: 1 +version: 2 date: '2024-12-17' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index cd1cbfff5e..1f1fd7d422 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -1,6 +1,6 @@ name: AWS AMI Attribute Modification for Exfiltration id: f2132d74-cf81-4c5e-8799-ab069e67dc9f -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 1d23327ab1..29dcbe0b67 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via EC2 Snapshot id: ac90b339-13fc-4f29-a18c-4abbba1f2171 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production diff --git a/detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml index b0f0ceda0b..5d882ef853 100644 --- a/detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml +++ b/detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml @@ -1,6 +1,6 @@ name: AWS Cross Account Activity From Previously Unseen Account id: 21193641-cb96-4a2c-a707-d9b9a7f7792b -version: 4 +version: 5 date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated diff --git a/detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml b/detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml index b2214e952e..4c3681065e 100644 --- a/detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml +++ b/detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml @@ -1,6 +1,6 @@ name: AWS SAML Access by Provider User and Principal id: bbe23980-6019-11eb-ae93-0242ac130002 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk status: deprecated From 0d842ad81b86b0b7fb0bcda9b047c73ecf7c0868 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Tue, 18 Feb 2025 11:22:10 +0100 Subject: [PATCH 12/15] version bump --- detections/cloud/asl_aws_iam_failure_group_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index fd80b5fa9a..f84ecec18c 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 6 +version: 7 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production From 43bffcabf9e7f15474f3a62d4927cc33c200f957 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Wed, 26 Feb 2025 10:50:15 +0100 Subject: [PATCH 13/15] version bump --- .gitignore | 1 + detections/cloud/asl_aws_create_access_key.yml | 2 +- .../asl_aws_create_policy_version_to_allow_all_resources.yml | 2 +- detections/cloud/asl_aws_credential_access_getpassworddata.yml | 2 +- .../cloud/asl_aws_credential_access_rds_password_reset.yml | 2 +- detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml | 2 +- .../asl_aws_defense_evasion_delete_cloudwatch_log_group.yml | 2 +- .../cloud/asl_aws_defense_evasion_impair_security_services.yml | 2 +- detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml | 2 +- .../cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml | 2 +- detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml | 2 +- .../asl_aws_ecr_container_upload_outside_business_hours.yml | 2 +- detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml | 2 +- detections/cloud/asl_aws_iam_successful_group_deletion.yml | 2 +- .../cloud/asl_aws_multi_factor_authentication_disabled.yml | 2 +- 15 files changed, 15 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index c441750030..2a6e590e07 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ external_repos/ # IDE .vscode/ +.cursor/ # usual mac files .DS_Store diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index cc66501d74..fbe7451376 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -1,6 +1,6 @@ name: ASL AWS Create Access Key id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index 463548fa77..ebc5717631 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -1,6 +1,6 @@ name: ASL AWS Create Policy Version to allow all resources id: 22cc7a62-3884-48c4-82da-592b8199b72f -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index 685f939c47..e97f64423a 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -1,6 +1,6 @@ name: ASL AWS Credential Access GetPasswordData id: a79b607a-50cc-4704-bb9d-eff280cb78c2 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index d40c51de82..7105538b78 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -1,6 +1,6 @@ name: ASL AWS Credential Access RDS Password reset id: d15e9bd9-ef64-4d84-bc04-f62955a9fee8 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 4e2b1ed0c7..0caed90b62 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Delete Cloudtrail id: 1f0b47e5-0134-43eb-851c-e3258638945e -version: 7 +version: 8 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index 0bf1a72365..f13418270d 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Delete CloudWatch Log Group id: 0f701b38-a0fb-43fd-a83d-d12265f71f33 -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 85f3d91636..5234ae230b 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Impair Security Services id: 5029b681-0462-47b7-82e7-f7e3d37f5a2d -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 082aa46821..ce16123a06 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion PutBucketLifecycle id: 986565a2-7707-48ea-9590-37929cebc938 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 64e372f665..8182273cb2 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Stop Logging Cloudtrail id: 0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1 -version: 5 +version: 6 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index fed1317f40..5a1208fb76 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Update Cloudtrail id: f3eb471c-16d0-404d-897c-7653f0a78cba -version: 5 +version: 6 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index d1982e4dc0..a65cf4ea32 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -1,6 +1,6 @@ name: ASL AWS ECR Container Upload Outside Business Hours id: 739ed682-27e9-4ba0-80e5-a91b97698213 -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 97ebb4a1f4..dcd5166378 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -1,6 +1,6 @@ name: ASL AWS ECR Container Upload Unknown User id: 886a8f46-d7e2-4439-b9ba-aec238e31732 -version: 5 +version: 6 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 9c28072ab2..48f44b30d1 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Successful Group Deletion id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index adcdb8fac7..9f331adb00 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -1,6 +1,6 @@ name: ASL AWS Multi-Factor Authentication Disabled id: 4d2df5e0-1092-4817-88a8-79c7fa054668 -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production From f587288967ff4390135198b97eeb40328de7e295 Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Wed, 26 Feb 2025 11:10:59 +0100 Subject: [PATCH 14/15] version bump --- ...etwork_access_control_list_created_with_all_open_ports.yml | 2 +- .../cloud/asl_aws_network_access_control_list_deleted.yml | 4 ++-- .../cloud/asl_aws_new_mfa_method_registered_for_user.yml | 2 +- detections/cloud/asl_aws_updateloginprofile.yml | 2 +- .../cloud/aws_console_login_failed_during_mfa_challenge.yml | 2 +- .../aws_create_policy_version_to_allow_all_resources.yml | 2 +- detections/cloud/aws_createaccesskey.yml | 2 +- detections/cloud/aws_createloginprofile.yml | 2 +- detections/cloud/aws_credential_access_failed_login.yml | 2 +- detections/cloud/aws_credential_access_getpassworddata.yml | 2 +- detections/cloud/aws_credential_access_rds_password_reset.yml | 2 +- detections/cloud/aws_defense_evasion_delete_cloudtrail.yml | 2 +- .../cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml | 2 +- .../cloud/aws_defense_evasion_impair_security_services.yml | 2 +- detections/cloud/aws_defense_evasion_putbucketlifecycle.yml | 2 +- .../cloud/aws_defense_evasion_stop_logging_cloudtrail.yml | 2 +- detections/cloud/aws_defense_evasion_update_cloudtrail.yml | 2 +- detections/cloud/aws_ecr_container_scanning_findings_high.yml | 2 +- ..._container_scanning_findings_low_informational_unknown.yml | 2 +- .../cloud/aws_ecr_container_scanning_findings_medium.yml | 2 +- .../cloud/aws_ecr_container_upload_outside_business_hours.yml | 2 +- detections/cloud/aws_ecr_container_upload_unknown_user.yml | 2 +- .../aws_high_number_of_failed_authentications_from_ip.yml | 2 +- detections/cloud/aws_iam_successful_group_deletion.yml | 2 +- detections/cloud/aws_multi_factor_authentication_disabled.yml | 2 +- .../cloud/aws_multiple_failed_mfa_requests_for_user.yml | 2 +- .../aws_multiple_users_failing_to_authenticate_from_ip.yml | 2 +- ...etwork_access_control_list_created_with_all_open_ports.yml | 2 +- detections/cloud/aws_network_access_control_list_deleted.yml | 2 +- detections/cloud/aws_new_mfa_method_registered_for_user.yml | 2 +- detections/cloud/aws_setdefaultpolicyversion.yml | 2 +- .../cloud/aws_successful_single_factor_authentication.yml | 2 +- .../aws_unusual_number_of_failed_authentications_from_ip.yml | 2 +- 33 files changed, 34 insertions(+), 34 deletions(-) diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index 05f93030f8..88579f1f17 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -1,6 +1,6 @@ name: ASL AWS Network Access Control List Created with All Open Ports id: a2625034-c2de-44fc-b45c-7bac9c4a7974 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index 4c5766fc40..e4c84dd570 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -1,6 +1,6 @@ name: ASL AWS Network Access Control List Deleted -id: e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b -version: 2 +id: 2a9b80d3-6340-4345-b5ad-212bf3d0dac5 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index b69ec238e9..1412490475 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -1,6 +1,6 @@ name: ASL AWS New MFA Method Registered For User id: 33ae0931-2a03-456b-b1d7-b016c5557fbd -version: 7 +version: 8 date: '2025-02-10' author: Patrick Bareiss, Splunk status: experimental diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index 863ce1ee4e..43dab5c0cd 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -1,6 +1,6 @@ name: ASL AWS UpdateLoginProfile id: 5b3f63a3-865b-4637-9941-f98bd1a50c0d -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index 4e8fbbfb6b..6796bcc648 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -1,6 +1,6 @@ name: AWS Console Login Failed During MFA Challenge id: 55349868-5583-466f-98ab-d3beb321961e -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index 948e269dd3..9742f0ee35 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -1,6 +1,6 @@ name: AWS Create Policy Version to allow all resources id: 2a9b80d3-6340-4345-b5ad-212bf3d0dac4 -version: 8 +version: 9 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index 8f45794651..d8fb41afe5 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -1,6 +1,6 @@ name: AWS CreateAccessKey id: 2a9b80d3-6340-4345-11ad-212bf3d0d111 -version: 7 +version: 8 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index 310d3dda54..2acc9beb62 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -1,6 +1,6 @@ name: AWS CreateLoginProfile id: 2a9b80d3-6340-4345-11ad-212bf444d111 -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 13a0a1ee9b..ccf26bb80e 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -1,6 +1,6 @@ name: AWS Credential Access Failed Login id: a19b354d-0d7f-47f3-8ea6-1a7c36434968 -version: 5 +version: 6 date: '2025-02-10' author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index 612e22695f..366d056882 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -1,6 +1,6 @@ name: AWS Credential Access GetPasswordData id: 4d347c4a-306e-41db-8d10-b46baf71b3e2 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index 692a3c3fb2..1a6310fc2f 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -1,6 +1,6 @@ name: AWS Credential Access RDS Password reset id: 6153c5ea-ed30-4878-81e6-21ecdb198189 -version: 6 +version: 7 date: '2025-02-10' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index 54712c70bb..c2c6adda25 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Delete Cloudtrail id: 82092925-9ca1-4e06-98b8-85a2d3889552 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index b1c13cbaa0..3308368693 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Delete CloudWatch Log Group id: d308b0f1-edb7-4a62-a614-af321160710f -version: 5 +version: 6 date: '2025-02-10' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index 505911bfbf..7dbfa9ad82 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Impair Security Services id: b28c4957-96a6-47e0-a965-6c767aac1458 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index ec6b280647..243134cb17 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion PutBucketLifecycle id: ce1c0e2b-9303-4903-818b-0d9002fc6ea4 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel status: production diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index fc7d09a945..1373c8781b 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Stop Logging Cloudtrail id: 8a2f3ca2-4eb5-4389-a549-14063882e537 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index aca9818c05..71a3be13fb 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Update Cloudtrail id: 7c921d28-ef48-4f1b-85b3-0af8af7697db -version: 5 +version: 6 date: '2025-02-10' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml index 9805e99fe1..3714ddbd98 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Scanning Findings High id: 30a0e9f8-f1dd-4f9d-8fc2-c622461d781c -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index d15c3db9ea..106f0ae2ed 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Scanning Findings Low Informational Unknown id: cbc95e44-7c22-443f-88fd-0424478f5589 -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Eric McGinnis Splunk status: production diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index 5066787820..4f7b7f2c14 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Scanning Findings Medium id: 0b80e2c8-c746-4ddb-89eb-9efd892220cf -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index 0a67fd26d7..ec7d22be55 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Upload Outside Business Hours id: d4c4d4eb-3994-41ca-a25e-a82d64e125bb -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index 2739576228..ecf00814e5 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Upload Unknown User id: 300688e4-365c-4486-a065-7c884462b31d -version: 5 +version: 6 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index 7860811e3d..80213c5005 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -1,6 +1,6 @@ name: AWS High Number Of Failed Authentications From Ip id: f75b7f1a-b8eb-4975-a214-ff3e0a944757 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index eb9841b9b3..95b05b3e42 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -1,6 +1,6 @@ name: AWS IAM Successful Group Deletion id: e776d06c-9267-11eb-819b-acde48001122 -version: 6 +version: 7 date: '2025-02-10' author: Michael Haag, Splunk status: production diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index ebf4709811..89e34fd41d 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -1,6 +1,6 @@ name: AWS Multi-Factor Authentication Disabled id: 374832b1-3603-420c-b456-b373e24d34c0 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index b914fb8836..5364cabcce 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -1,6 +1,6 @@ name: AWS Multiple Failed MFA Requests For User id: 1fece617-e614-4329-9e61-3ba228c0f353 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel status: production diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index a9b05ecf98..8430271670 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,6 +1,6 @@ name: AWS Multiple Users Failing To Authenticate From Ip id: 71e1fb89-dd5f-4691-8523-575420de4630 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel status: production diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index 321fb5ec22..53a0b53635 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -1,6 +1,6 @@ name: AWS Network Access Control List Created with All Open Ports id: ada0f478-84a8-4641-a3f1-d82362d6bd75 -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index 47e0c3b3bf..1f7c98e312 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -1,6 +1,6 @@ name: AWS Network Access Control List Deleted id: ada0f478-84a8-4641-a3f1-d82362d6fd75 -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Patrick Bareiss, Splunk status: production diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 411d68fc12..9023487963 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -1,6 +1,6 @@ name: AWS New MFA Method Registered For User id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index 7cc2e715b0..5d775a0401 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -1,6 +1,6 @@ name: AWS SetDefaultPolicyVersion id: 2a9b80d3-6340-4345-11ad-212bf3d0dac4 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index eed7c2c77f..9f326936db 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -1,6 +1,6 @@ name: AWS Successful Single-Factor Authentication id: a520b1fe-cc9e-4f56-b762-18354594c52f -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index 2c3013df55..81255cca76 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -1,6 +1,6 @@ name: AWS Unusual Number of Failed Authentications From Ip id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386 -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Splunk status: production From 7949424e0266874b873a09930e1450b8542bc2bc Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Wed, 26 Feb 2025 11:15:03 +0100 Subject: [PATCH 15/15] uuid change --- .../cloud/asl_aws_network_access_control_list_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index e4c84dd570..59d4c8101d 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -1,5 +1,5 @@ name: ASL AWS Network Access Control List Deleted -id: 2a9b80d3-6340-4345-b5ad-212bf3d0dac5 +id: e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk