valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/SigmaHQ/sigma into qoutes_and_wildcards

Browse Source 
Signed-off-by: neu5ron <neu5ron@users.noreply.github.com>
This commit is contained in:
neu5ron 2021-08-30 16:33:33 -04:00
commit 96c7e180fe
707 changed files with 14856 additions and 2012 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/sigma-test.yml vendored
View File

@ -8,7 +8,9 @@ on:
branches:
- "*"
pull_request:
branches: [ master, oscd ]
branches:
- master
- oscd
jobs:
test-sigma:
@ -23,6 +25,7 @@ jobs:
run: |
python -m pip install --upgrade pip
pip install pipenv
pipenv lock
pipenv install --dev --deploy
- name: Test Sigma Tools and Rules
run: |
@ -30,3 +33,9 @@ jobs:
- name: Test SQL(ite) Backend
run: |
pipenv run make test-backend-sql
yamllint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: yaml-lint
uses: ibiqlik/action-yamllint@v3

36
CHANGELOG.md
View File

@ -6,6 +6,42 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html)
from version 0.14.0.
## 0.20 - 2021-08-14
### Added
* Devo backend
* Fields selection added to SQL backend
* Linux/MacOS support for MDATP backend
* Output results as generic YAML/JSON
* Hash normalization option (hash_normalize) for Elasticsearch wildcard handling
* ALA AWS Cloudtrail and Azure mappings
* Logrhytm backend
* Splunk Data Models backend
* Further log sources used in open source Sigma ruleset
* CarbonBlack EDR backend
* Elastic EQL backend
* Additional conversion selection filters
* Filter negation
* Specify table in SQL backend
* Generic registry event log source
* Chronicle backend
### Changed
* Elastic Watcher backend populates name attribute instead of title.
* One item list optimization.
* Updated Winlogbeat mapping
* Generic mapping for Powershell backend
### Fixed
* Elastalert multi output file
* Fixed duplicate output in ElastAlert backend
* Escaping in Graylog backend
* es-rule ndjson output
* Various fixes of known bugs
## 0.19.1 - 2021-02-28
### Changed

6
LICENSE.Detection.Rules.md
View File

@ -1,4 +1,4 @@
# Detection Rule License (DRL) 1.0
# Detection Rule License (DRL) 1.1
Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions:
@ -10,4 +10,8 @@ If you share the Rules (including in modified form), you must retain the followi
3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable
If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules:
1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES.

8
Makefile
View File

@ -46,8 +46,12 @@ test-sigmac:
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -c tools/config/splunk-windows-index.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml -c tools/config/splunk-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkdm -c tools/config/splunk-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint -c tools/config/logpoint-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t devo -c tools/config/devo-windows.yml rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t lacework rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t mdatp rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t uberagent rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala-rule rules/ > /dev/null
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t ala --backend-config tests/backend_config.yml rules/windows/process_creation/ > /dev/null
@ -103,7 +107,7 @@ test-sigmac:
$(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o $(TMPOUT) - < tests/collection_repeat.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -c tools/config/winlogbeat.yml -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/not_existing.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_yaml.badyml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_identifiers.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-no_condition.yml > /dev/null
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml tests/invalid_sigma-invalid_identifier_reference.yml > /dev/null
@ -112,7 +116,7 @@ test-sigmac:
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml rules/windows/builtin/win_susp_failed_logons_single_source.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tools/config/winlogbeat.yml -o /not_possible rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c not_existing rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_yaml.badyml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
! $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -c tests/invalid_config.yml rules/windows/sysmon/sysmon_mimikatz_detection_lsass.yml
test-merge:

5
Pipfile
View File

@ -15,11 +15,12 @@ stix2 = "*"
attackcti = "*"
[packages]
requests = "~=2.23"
urllib3 = "~=1.25"
requests = "~=2.25"
urllib3 = "~=1.26"
progressbar2 = "~=3.47"
pymisp = "~=2.4.123"
PyYAML = "~=5.1"
"ruamel.yaml" = "*"
[requires]
python_version = "3.8"

309
Pipfile.lock generated
View File

@ -1,7 +1,7 @@
{
"_meta": {
"hash": {
"sha256": "6f2116e6d1b332715efdc61c59a958c9226831cb7e19fcd4cea3f4c569d90687"
"sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68"
},
"pipfile-spec": 6,
"requires": {
@ -18,26 +18,26 @@
"default": {
"attrs": {
"hashes": [
"sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
"sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.3.0"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
},
"certifi": {
"hashes": [
"sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
"sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
],
"version": "==2020.12.5"
"version": "==2021.5.30"
},
"chardet": {
"charset-normalizer": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
"markers": "python_version >= '3'",
"version": "==2.0.4"
},
"deprecated": {
"hashes": [
@ -49,11 +49,11 @@
},
"idna": {
"hashes": [
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.10"
"markers": "python_version >= '3'",
"version": "==3.2"
},
"jsonschema": {
"hashes": [
@ -72,26 +72,46 @@
},
"pymisp": {
"hashes": [
"sha256:7ab159ba589f54d105c59cb990722369c57d8f587b5df215a79ed4059cb57b8a",
"sha256:c6496a6884fe3a671e9dd3c314564b4e94b8827845f5ea0004ab3649373e9db2"
"sha256:5971eba9a4d3b7f5ee47035417c7692fc0ec45d581afcaa63e3f7e2d6a400923",
"sha256:641e3db1af1010cff3a652df6eb51ac4f4e540b1801b811d5e009c59114bf26a"
],
"index": "pypi",
"version": "==2.4.141.1"
"version": "==2.4.148"
},
"pyrsistent": {
"hashes": [
"sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e"
"sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2",
"sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7",
"sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea",
"sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426",
"sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710",
"sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1",
"sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396",
"sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2",
"sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680",
"sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35",
"sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427",
"sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b",
"sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b",
"sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f",
"sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef",
"sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c",
"sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4",
"sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d",
"sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78",
"sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b",
"sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72"
],
"markers": "python_version >= '3.5'",
"version": "==0.17.3"
"markers": "python_version >= '3.6'",
"version": "==0.18.0"
},
"python-dateutil": {
"hashes": [
"sha256:73ebfe9dbf22e832286dafa60473e4cd239f8592f699aa5adaf10050e6e1823c",
"sha256:75bb3f31ea686f1197762692a9ee6a7550b59fc6ca3a1f4b5d7e32fb98e2da2a"
"sha256:0123cacc1627ae19ddf3c27a5de5bd67ee4586fbdd6440d9748f8abb483d3e86",
"sha256:961d03dc3453ebbc59dbdea9e4e11c5651520a876d0f4db161e8674aae935da9"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.8.1"
"version": "==2.8.2"
},
"python-utils": {
"hashes": [
@ -137,27 +157,62 @@
},
"requests": {
"hashes": [
"sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
"sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
"sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24",
"sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"
],
"index": "pypi",
"version": "==2.25.1"
"version": "==2.26.0"
},
"ruamel.yaml": {
"hashes": [
"sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67",
"sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815"
],
"index": "pypi",
"version": "==0.17.10"
},
"ruamel.yaml.clib": {
"hashes": [
"sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd",
"sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0",
"sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277",
"sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104",
"sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd",
"sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78",
"sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99",
"sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527",
"sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84",
"sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7",
"sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468",
"sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b",
"sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94",
"sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233",
"sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb",
"sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5",
"sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe",
"sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751",
"sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502",
"sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed",
"sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c"
],
"markers": "python_version < '3.10' and platform_python_implementation == 'CPython'",
"version": "==0.2.6"
},
"six": {
"hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
"sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
"sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.15.0"
"version": "==1.16.0"
},
"urllib3": {
"hashes": [
"sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
"sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
"sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f"
],
"index": "pypi",
"version": "==1.26.4"
"version": "==1.26.6"
},
"wrapt": {
"hashes": [
@ -227,26 +282,26 @@
},
"attackcti": {
"hashes": [
"sha256:60059c597f39074db979482931c8771c31581c76e0ae6451c04214a1330a5d2f",
"sha256:a0c44c7065d2568b728e62a8325b0c5fde9d6901e4e0199bde7a9bab974bdcb9"
"sha256:2516b00631d4f0f8e05e950281ed94566774587b968901c02296e174835f0786",
"sha256:98d9c80a2c566847aa6d95fe824f48e8c45a418bbbb212e96dcf468693754cea"
],
"index": "pypi",
"version": "==0.3.4.3"
"version": "==0.3.4.4"
},
"attrs": {
"hashes": [
"sha256:31b2eced602aa8423c2aea9c76a724617ed67cf9513173fd3a4f03e3a929c7e6",
"sha256:832aa3cde19744e49938b91fea06d69ecb9e649c93ba974535d08ad92164f700"
"sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1",
"sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.3.0"
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==21.2.0"
},
"certifi": {
"hashes": [
"sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c",
"sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830"
"sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee",
"sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8"
],
"version": "==2020.12.5"
"version": "==2021.5.30"
},
"chardet": {
"hashes": [
@ -256,6 +311,14 @@
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
"version": "==4.0.0"
},
"charset-normalizer": {
"hashes": [
"sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b",
"sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3"
],
"markers": "python_version >= '3'",
"version": "==2.0.4"
},
"colorama": {
"hashes": [
"sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b",
@ -324,11 +387,11 @@
},
"elasticsearch": {
"hashes": [
"sha256:9a77172be02bc4855210d83f0f1346a1e7d421e3cb2ca47ba81ac0c5a717b3a0",
"sha256:c67b0f6541eda6de9f92eaea319c070aa2710c5d4d4ee5e3dfa3c21bd95aa378"
"sha256:084979d21cc2955903ecc215bb40b8180207b2bcb5e52ec0ec7dd6f60affd01e",
"sha256:f3ab1454e646170bbc6796b8707e4bff125234391d2acc022221e1c0313becb4"
],
"index": "pypi",
"version": "==7.12.0"
"version": "==7.14.0"
},
"elasticsearch-async": {
"hashes": [
@ -340,19 +403,19 @@
},
"idna": {
"hashes": [
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
"sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a",
"sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==2.10"
"markers": "python_version >= '3'",
"version": "==3.2"
},
"more-itertools": {
"hashes": [
"sha256:5652a9ac72209ed7df8d9c15daf4e1aa0e3d2ccd3c87f8265a0673cd9cbc9ced",
"sha256:c5d6da9ca3ff65220c3bfd2a8db06d698f05d4d2b9be57e1deb2be5a45019713"
"sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d",
"sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a"
],
"markers": "python_version >= '3.5'",
"version": "==8.7.0"
"version": "==8.8.0"
},
"multidict": {
"hashes": [
@ -399,18 +462,18 @@
},
"packaging": {
"hashes": [
"sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5",
"sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a"
"sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7",
"sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==20.9"
"markers": "python_version >= '3.6'",
"version": "==21.0"
},
"pathspec": {
"hashes": [
"sha256:86379d6b86d75816baba717e64b1a3a3469deb93bb76d613c9ce79edc5cb68fd",
"sha256:aa0cb481c4041bf52ffa7b0d8fa6cd3e88a2ca4879c533c9153882ee2556790d"
"sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a",
"sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1"
],
"version": "==0.8.1"
"version": "==0.9.0"
},
"pluggy": {
"hashes": [
@ -488,78 +551,70 @@
},
"requests": {
"hashes": [
"sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804",
"sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e"
"sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24",
"sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"
],
"index": "pypi",
"version": "==2.25.1"
"version": "==2.26.0"
},
"simplejson": {
"hashes": [
"sha256:034550078a11664d77bc1a8364c90bb7eef0e44c2dbb1fd0a4d92e3997088667",
"sha256:05b43d568300c1cd43f95ff4bfcff984bc658aa001be91efb3bb21df9d6288d3",
"sha256:0dd9d9c738cb008bfc0862c9b8fa6743495c03a0ed543884bf92fb7d30f8d043",
"sha256:10fc250c3edea4abc15d930d77274ddb8df4803453dde7ad50c2f5565a18a4bb",
"sha256:2862beabfb9097a745a961426fe7daf66e1714151da8bb9a0c430dde3d59c7c0",
"sha256:292c2e3f53be314cc59853bd20a35bf1f965f3bc121e007ab6fd526ed412a85d",
"sha256:2d3eab2c3fe52007d703a26f71cf649a8c771fcdd949a3ae73041ba6797cfcf8",
"sha256:2e7b57c2c146f8e4dadf84977a83f7ee50da17c8861fd7faf694d55e3274784f",
"sha256:311f5dc2af07361725033b13cc3d0351de3da8bede3397d45650784c3f21fbcf",
"sha256:344e2d920a7f27b4023c087ab539877a1e39ce8e3e90b867e0bfa97829824748",
"sha256:3fabde09af43e0cbdee407555383063f8b45bfb52c361bc5da83fcffdb4fd278",
"sha256:42b8b8dd0799f78e067e2aaae97e60d58a8f63582939af60abce4c48631a0aa4",
"sha256:4b3442249d5e3893b90cb9f72c7d6ce4d2ea144d2c0d9f75b9ae1e5460f3121a",
"sha256:55d65f9cc1b733d85ef95ab11f559cce55c7649a2160da2ac7a078534da676c8",
"sha256:5c659a0efc80aaaba57fcd878855c8534ecb655a28ac8508885c50648e6e659d",
"sha256:72d8a3ffca19a901002d6b068cf746be85747571c6a7ba12cbcf427bfb4ed971",
"sha256:75ecc79f26d99222a084fbdd1ce5aad3ac3a8bd535cd9059528452da38b68841",
"sha256:76ac9605bf2f6d9b56abf6f9da9047a8782574ad3531c82eae774947ae99cc3f",
"sha256:7d276f69bfc8c7ba6c717ba8deaf28f9d3c8450ff0aa8713f5a3280e232be16b",
"sha256:7f10f8ba9c1b1430addc7dd385fc322e221559d3ae49b812aebf57470ce8de45",
"sha256:8042040af86a494a23c189b5aa0ea9433769cc029707833f261a79c98e3375f9",
"sha256:813846738277729d7db71b82176204abc7fdae2f566e2d9fcf874f9b6472e3e6",
"sha256:845a14f6deb124a3bcb98a62def067a67462a000e0508f256f9c18eff5847efc",
"sha256:869a183c8e44bc03be1b2bbcc9ec4338e37fa8557fc506bf6115887c1d3bb956",
"sha256:8acf76443cfb5c949b6e781c154278c059b09ac717d2757a830c869ba000cf8d",
"sha256:8f713ea65958ef40049b6c45c40c206ab363db9591ff5a49d89b448933fa5746",
"sha256:934115642c8ba9659b402c8bdbdedb48651fb94b576e3b3efd1ccb079609b04a",
"sha256:9551f23e09300a9a528f7af20e35c9f79686d46d646152a0c8fc41d2d074d9b0",
"sha256:9a2b7543559f8a1c9ed72724b549d8cc3515da7daf3e79813a15bdc4a769de25",
"sha256:a55c76254d7cf8d4494bc508e7abb993a82a192d0db4552421e5139235604625",
"sha256:ad8f41c2357b73bc9e8606d2fa226233bf4d55d85a8982ecdfd55823a6959995",
"sha256:af4868da7dd53296cd7630687161d53a7ebe2e63814234631445697bd7c29f46",
"sha256:afebfc3dd3520d37056f641969ce320b071bc7a0800639c71877b90d053e087f",
"sha256:b59aa298137ca74a744c1e6e22cfc0bf9dca3a2f41f51bc92eb05695155d905a",
"sha256:bc00d1210567a4cdd215ac6e17dc00cb9893ee521cee701adfd0fa43f7c73139",
"sha256:c1cb29b1fced01f97e6d5631c3edc2dadb424d1f4421dad079cb13fc97acb42f",
"sha256:c94dc64b1a389a416fc4218cd4799aa3756f25940cae33530a4f7f2f54f166da",
"sha256:ceaa28a5bce8a46a130cd223e895080e258a88d51bf6e8de2fc54a6ef7e38c34",
"sha256:cff6453e25204d3369c47b97dd34783ca820611bd334779d22192da23784194b",
"sha256:d0b64409df09edb4c365d95004775c988259efe9be39697d7315c42b7a5e7e94",
"sha256:d4813b30cb62d3b63ccc60dd12f2121780c7a3068db692daeb90f989877aaf04",
"sha256:da3c55cdc66cfc3fffb607db49a42448785ea2732f055ac1549b69dcb392663b",
"sha256:e058c7656c44fb494a11443191e381355388443d543f6fc1a245d5d238544396",
"sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06",
"sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb"
"sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7",
"sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085",
"sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb",
"sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476",
"sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473",
"sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e",
"sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c",
"sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732",
"sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b",
"sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34",
"sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586",
"sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da",
"sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34",
"sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564",
"sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e",
"sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926",
"sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e",
"sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08",
"sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e",
"sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c",
"sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999",
"sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e",
"sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314",
"sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95",
"sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277",
"sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda",
"sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61",
"sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640",
"sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e",
"sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee",
"sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86",
"sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98",
"sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616",
"sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b",
"sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c",
"sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc",
"sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858",
"sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec"
],
"markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==3.17.2"
"version": "==3.17.3"
},
"six": {
"hashes": [
"sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
"sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
"sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926",
"sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
"version": "==1.15.0"
"version": "==1.16.0"
},
"stix2": {
"hashes": [
"sha256:15c9cf599f5c43124e76fe71b883e4918f6f4cf65b084c58ec64b6180f45c938",
"sha256:3ab60082e4bffb39f75ea9ddc338b64126ff1cd086e6173d39b860191ac26ff4"
"sha256:b9b2200e5c429a0a49d67c8902638d2f97df2ba4321e15dde067c5cb80c9e8e1"
],
"index": "pypi",
"version": "==2.1.0"
"version": "==3.0.0"
},
"stix2-patterns": {
"hashes": [
@ -577,20 +632,19 @@
},
"typing-extensions": {
"hashes": [
"sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918",
"sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c",
"sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f"
"sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497",
"sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342",
"sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84"
],
"markers": "python_version < '3.8'",
"version": "==3.7.4.3"
"version": "==3.10.0.0"
},
"urllib3": {
"hashes": [
"sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df",
"sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937"
"sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4",
"sha256:f57b4c16c62fa2760b7e3d97c35b255512fb6b59a259730f36ba32ce9f8e342f"
],
"index": "pypi",
"version": "==1.26.4"
"version": "==1.26.6"
},
"wcwidth": {
"hashes": [
@ -601,11 +655,10 @@
},
"yamllint": {
"hashes": [
"sha256:8a5f8e442f49309eaf3e9d7232ce76f2fc8026f5c0c0b164b83f33fed1399637",
"sha256:b0e4c89985c7f5f8451c2eb8c67d804d10ac13a4abe031cbf49bdf3465d01087"
"sha256:0b08a96750248fdf21f1e8193cb7787554ef75ed57b27f621cd6b3bf09af11a1"
],
"index": "pypi",
"version": "==1.26.0"
"version": "==1.26.2"
},
"yarl": {
"hashes": [

7
README.md
View File

@ -1,4 +1,4 @@
[![Build Status](https://travis-ci.org/Neo23x0/sigma.svg?branch=master)](https://travis-ci.org/Neo23x0/sigma)
[![sigma build status](https://github.com/SigmaHQ/sigma/actions/workflows/sigma-test.yml/badge.svg?branch=master)](https://github.com/SigmaHQ/sigma/actions?query=branch%3Amaster)
![sigma_logo](./images/Sigma_0.3.png)
@ -131,7 +131,7 @@ optional arguments:
tag that must appear in the rules tag list, case-
insensitive matching. Multiple log source
specifications are AND linked.
--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}
--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}
Output target format
--target-list, -l List available output target formats
--config CONFIG, -c CONFIG
@ -211,6 +211,8 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window
* [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html)
* [LOGIQ](https://www.logiq.ai)
* [uberAgent ESA](https://uberagent.com/)
* [Devo](https://devo.com)
* [LogRhythm](https://logrhythm.com/)
Current work-in-progress
* [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels)
@ -316,6 +318,7 @@ These tools are not part of the main toolchain and maintained separately by thei
# Projects or Products that use Sigma
* [MISP](http://www.misp-project.org/2017/03/26/MISP.2.4.70.released.html) (since version 2.4.70, March 2017)
* [Atomic Threat Coverage](https://github.com/atc-project/atomic-threat-coverage) (since December 2018)
* [SOC Prime - Sigma Rule Editor](https://tdm.socprime.com/sigma/)
* [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches
* [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints

63
contrib/sigma2CSV.py Normal file
View File

@ -0,0 +1,63 @@
#!/usr/bin/env python3
# Copyright 2021 wagga40 (https://github.com/wagga40)
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Project: sigma2CSV.py
Date: 07 aug 2021
Author: wagga40 (https://github.com/wagga40)
Version: 1.0
Description:
Asked by frak113 in issue #1787 (https://github.com/SigmaHQ/sigma/issues/1787#issuecomment-894618060)
This script converts sigma rules to a CSV format for statistics puprpose.
For now, it only keeps title, description, level, tags and author fields.
Feel free to modify it according to your needs.
Requirements:
$ pip install pyyaml
"""
import yaml
import glob
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("-r", "--rulesdirectory", help="Sub-directory generated by rules-search", required=True, type=str)
parser.add_argument("-f", "--fileext", help="Rule file extension", default="yml", type=str)
parser.add_argument("-d", "--delimiter", help="Separator", default=",", type=str)
parser.add_argument("--oneline", help="Put all tags on a single line", action="store_true")
args = parser.parse_args()
files = glob.glob(args.rulesdirectory + "/**/*." + args.fileext, recursive=True)
# for each file in the given directory
for file in files:
d={}
with open(file, 'r') as stream:
docs = yaml.load_all(stream, Loader=yaml.FullLoader)
for doc in docs:
for k,v in doc.items():
if k in ['title','description','tags','level','author']: # Modify here if you want to include other fields
d[k]=v
# Check for optional fields
if "author" not in d: d["author"]=""
if "level" not in d: d["level"]=""
if args.oneline: # All tags will be on a single line
if "tags" in d:
expandTags = args.delimiter.join([ tags for tags in d["tags"] if "attack" in tags ]) # Only output attack related tags
print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}{args.delimiter}{expandTags}')
else:
print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}')
else:
if "tags" in d:
for tag in d["tags"]:
if "attack" in tag: # Only output attack related tags
print(f'{d["title"]}{args.delimiter}{d["description"]}{args.delimiter}{d["level"]}{args.delimiter}{d["author"]}{args.delimiter}{tag}')

2
rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml → rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml
View File

@ -6,12 +6,14 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg
- https://www.slideshare.net/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
tags:
- attack.privilege_escalation
- attack.t1548.002
logsource:
product: windows
category: process_creation
definition: Works only if Enrich Sysmon events with additional information about process in ParentOfParentImage check enrichment section
detection:
parent_image:
ParentImage|endswith:

2
rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml
View File

@ -35,7 +35,7 @@ fields:
- IntegrityLevel
- User
- Image
ParentProcessGuid
- ParentProcessGuid
falsepositives:
- System administrator usage
- Penetration test

1
rules/windows/process_creation/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml → rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml
View File

@ -12,6 +12,7 @@ date: 2019/06/03
logsource:
category: process_creation
product: windows
definition: Works only if Enrich Sysmon events with additional information about process in ParentIntegrityLevel check enrichment section
detection:
selection:
ParentIntegrityLevel: Medium

1
rules/windows/process_creation/win_possible_privilege_escalation_using_rotten_potato.yml → rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml
View File

@ -15,6 +15,7 @@ modified: 2020/09/01
logsource:
category: process_creation
product: windows
definition: Works only if Enrich Sysmon events with additional information about process in ParentUser check enrichment section
detection:
selection:
ParentUser:

8
rules/cloud/aws_cloudtrail_disable_logging.yml → rules/cloud/aws/aws_cloudtrail_disable_logging.yml
View File

@ -4,19 +4,19 @@ status: experimental
description: Detects disabling, deleting and updating of a Trail
author: vitaliy0x1
date: 2020/01/21
modified: 2021/08/09
references:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/best-practices-security.html
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: cloudtrail.amazonaws.com
events:
- eventName:
eventSource: cloudtrail.amazonaws.com
eventName:
- StopLogging
- UpdateTrail
- DeleteTrail
condition: selection_source AND events
condition: selection_source
falsepositives:
- Valid change in a Trail
level: medium

8
rules/cloud/aws_config_disable_recording.yml → rules/cloud/aws/aws_config_disable_recording.yml
View File

@ -4,16 +4,16 @@ status: experimental
description: Detects AWS Config Service disabling
author: vitaliy0x1
date: 2020/01/21
modified: 2021/08/09
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: config.amazonaws.com
events:
- eventName:
eventSource: config.amazonaws.com
eventName:
- DeleteDeliveryChannel
- StopConfigurationRecorder
condition: selection_source AND events
condition: selection_source
falsepositives:
- Valid change in AWS Config Service
level: high

24
rules/cloud/aws/aws_ec2_disable_encryption.yml Normal file
View File

@ -0,0 +1,24 @@
title: AWS EC2 Disable EBS Encryption
id: 16124c2d-e40b-4fcc-8f2c-5ab7870a2223
status: stable
description: Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.
author: Sittikorn S
date: 2021/06/29
modified: 2021/08/20
references:
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html
tags:
- attack.impact
- attack.t1486
- attack.t1565
logsource:
service: cloudtrail
detection:
selection:
eventSource: ec2.amazonaws.com
eventName: DisableEbsEncryptionByDefault
condition: selection
falsepositives:
- System Administrator Activities
- DEV, UAT, SAT environment. You should apply this rule with PROD account only.
level: medium

14
rules/cloud/aws_ec2_download_userdata.yml → rules/cloud/aws/aws_ec2_download_userdata.yml
View File

@ -4,20 +4,18 @@ status: experimental
description: Detects bulk downloading of User Data associated with AWS EC2 instances. Instance User Data may include installation scripts and hard-coded secrets for deployment.
author: faloker
date: 2020/02/11
modified: 2020/09/01
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__download_userdata/main.py#L24
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/ec2__download_userdata/main.py
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
selection_requesttype:
- requestParameters.attribute: userData
selection_eventname:
- eventName: DescribeInstanceAttribute
eventSource: ec2.amazonaws.com
requestParameters.attribute: userData
eventName: DescribeInstanceAttribute
timeframe: 30m
condition: all of them | count() > 10
condition: selection_source | count() > 10
falsepositives:
- Assets management software like device42
level: medium

12
rules/cloud/aws_ec2_startup_script_change.yml → rules/cloud/aws/aws_ec2_startup_script_change.yml
View File

@ -4,19 +4,17 @@ status: experimental
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
author: faloker
date: 2020/02/12
modified: 2020/09/01
modified: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/ec2__startup_shell_script/main.py#L9
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: ec2.amazonaws.com
selection_userdata:
- requestParameters.userData: "*"
selection_eventname:
- eventName: ModifyInstanceAttribute
condition: all of them
eventSource: ec2.amazonaws.com
requestParameters.userData: "*"
eventName: ModifyInstanceAttribute
condition: selection_source
falsepositives:
- Valid changes to the startup script
level: high

2
rules/cloud/aws_ec2_vm_export_failure.yml → rules/cloud/aws/aws_ec2_vm_export_failure.yml
View File

@ -4,6 +4,7 @@ status: experimental
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
author: Diogo Braz
date: 2020/04/16
modified: 2021/08/20
references:
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
logsource:
@ -17,7 +18,6 @@ detection:
filter2:
errorCode: '*'
filter3:
eventName: 'ConsoleLogin'
responseElements|contains: 'Failure'
condition: selection and (filter1 or filter2 or filter3)
level: low

20
rules/cloud/aws/aws_efs_fileshare_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,20 @@
title: AWS EFS Fileshare Modified or Deleted
id: 25cb1ba1-8a19-4a23-a198-d252664c8cef
status: experimental
description: Detects when a EFS Fileshare is modified or deleted. You can't delete a file system that is in use. If the file system has any mount targets, the adversary must first delete them, so deletion of a mount will occur before deletion of a fileshare.
author: Austin Songer @austinsonger
date: 2021/08/15
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: elasticfilesystem.amazonaws.com
eventName: DeleteFileSystem
condition: selection
falsepositives:
- unknown
level: medium
tags:
- attack.impact

20
rules/cloud/aws/aws_efs_fileshare_mount_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,20 @@
title: AWS EFS Fileshare Mount Modified or Deleted
id: 6a7ba45c-63d8-473e-9736-2eaabff79964
status: experimental
description: Detects when a EFS Fileshare Mount is modified or deleted. An adversary breaking any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts.
author: Austin Songer @austinsonger
date: 2021/08/15
references:
- https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: elasticfilesystem.amazonaws.com
eventName: DeleteMountTarget
condition: selection
falsepositives:
- unknown
level: medium
tags:
- attack.impact

24
rules/cloud/aws/aws_eks_cluster_created_or_deleted.yml Normal file
View File

@ -0,0 +1,24 @@
title: AWS EKS Cluster Created or Deleted
id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0
description: Identifies when an EKS cluster is created or deleted.
author: Austin Songer
status: experimental
date: 2021/08/16
references:
- https://any-api.com/amazonaws_com/eks/docs/API_Description
logsource:
service: cloudtrail
detection:
selection:
eventSource: eks.amazonaws.com
eventName:
- CreateCluster
- DeleteCluster
condition: selection
level: low
tags:
- attack.impact
falsepositives:
- EKS Cluster being created or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- EKS Cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

25
rules/cloud/aws/aws_elasticache_security_group_created.yml Normal file
View File

@ -0,0 +1,25 @@
title: AWS ElastiCache Security Group Created
id: 4ae68615-866f-4304-b24b-ba048dfa5ca7
description: Detects when an ElastiCache security group has been created.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/598f3d7e0a63221c0703ad9a0ea7e22e7bc5961e/rules/integrations/aws/persistence_elasticache_security_group_creation.toml
logsource:
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName: "CreateCacheSecurityGroup"
condition: selection
level: low
tags:
- attack.persistence
- attack.t1136
- attack.t1136.003
falsepositives:
- A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

29
rules/cloud/aws/aws_elasticache_security_group_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,29 @@
title: AWS ElastiCache Security Group Modified or Deleted
id: 7c797da2-9cf2-4523-ba64-33b06339f0cc
description: Identifies when an ElastiCache security group has been modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/blob/7d5efd68603f42be5e125b5a6a503b2ef3ac0f4e/rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
logsource:
service: cloudtrail
detection:
selection:
eventSource: elasticache.amazonaws.com
eventName:
- "DeleteCacheSecurityGroup"
- "AuthorizeCacheSecurityGroupIngress"
- "RevokeCacheSecurityGroupIngress"
- "AuthorizeCacheSecurityGroupEgress"
- "RevokeCacheSecurityGroupEgress"
condition: selection
level: low
tags:
- attack.impact
- attack.t1531
falsepositives:
- A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

5
rules/cloud/aws_enum_listing.yml → rules/cloud/aws/aws_enum_listing.yml
View File

@ -4,13 +4,14 @@ status: experimental
description: Detects enumeration of accounts configuration via api call to list different instances and services within a short period of time.
author: toffeebr33k
date: 2020/11/21
modified: 2021/08/09
logsource:
service: cloudtrail
detection:
selection_eventname:
- eventName: list*
eventName: list*
timeframe: 10m
condition: all of them | count() > 50
condition: selection_eventname | count() > 50
fields:
- userIdentity.arn
falsepositives:

8
rules/cloud/aws_guardduty_disruption.yml → rules/cloud/aws/aws_guardduty_disruption.yml
View File

@ -4,16 +4,16 @@ status: experimental
description: Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
author: faloker
date: 2020/02/11
modified: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/guardduty__whitelist_ip/main.py#L9
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: guardduty.amazonaws.com
selection_eventName:
- eventName: CreateIPSet
condition: all of them
eventSource: guardduty.amazonaws.com
eventName: CreateIPSet
condition: selection_source
falsepositives:
- Valid change in the GuardDuty (e.g. to ignore internal scanners)
level: high

11
rules/cloud/aws_iam_backdoor_users_keys.yml → rules/cloud/aws/aws_iam_backdoor_users_keys.yml
View File

@ -4,19 +4,18 @@ status: experimental
description: Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment. Also with this alert, you can detect a flow of AWS keys in your org.
author: faloker
date: 2020/02/12
modified: 2020/09/01
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/iam__backdoor_users_keys/main.py#L6
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/iam__backdoor_users_keys/main.py
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: iam.amazonaws.com
selection_eventname:
- eventName: CreateAccessKey
eventSource: iam.amazonaws.com
eventName: CreateAccessKey
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: all of selection* and not filter
condition: selection_source and not filter
fields:
- userIdentity.arn
- responseElements.accessKey.userName

35
rules/cloud/aws/aws_macic_evasion.yml Normal file
View File

@ -0,0 +1,35 @@
title: AWS Macie Evasion
id: 91f6a16c-ef71-437a-99ac-0b070e3ad221
status: experimental
description: Detects evade to Macie detection.
author: Sittikorn S
date: 2021/07/06
references:
- https://docs.aws.amazon.com/cli/latest/reference/macie/
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
service: cloudtrail
detection:
selection:
eventName:
- 'ArchiveFindings'
- 'CreateFindingsFilter'
- 'DeleteMember'
- 'DisassociateFromMasterAccount'
- 'DisassociateMember'
- 'DisableMacie'
- 'DisableOrganizationAdminAccount'
- 'UpdateFindingsFilter'
- 'UpdateMacieSession'
- 'UpdateMemberSession'
- 'UpdateClassificationJob'
timeframe: 10m
condition: selection | count() by sourceIPAddress > 5
fields:
- sourceIPAddress
- userIdentity.arn
falsepositives:
- System or Network administrator behaviors
level: medium

14
rules/cloud/aws_rds_change_master_password.yml → rules/cloud/aws/aws_rds_change_master_password.yml
View File

@ -4,19 +4,17 @@ status: experimental
description: Detects the change of database master password. It may be a part of data exfiltration.
author: faloker
date: 2020/02/12
modified: 2020/09/01
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: rds.amazonaws.com
selection_modified_values:
- responseElements.pendingModifiedValues.masterUserPassword: "*"
selection_eventname:
- eventName: ModifyDBInstance
condition: all of them
eventSource: rds.amazonaws.com
responseElements.pendingModifiedValues.masterUserPassword: "*"
eventName: ModifyDBInstance
condition: selection_source
falsepositives:
- Benign changes to a db instance
level: medium

14
rules/cloud/aws_rds_public_db_restore.yml → rules/cloud/aws/aws_rds_public_db_restore.yml
View File

@ -4,19 +4,17 @@ status: experimental
description: Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
author: faloker
date: 2020/02/12
modified: 2020/09/01
modified: 2021/08/20
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/master/modules/rds__explore_snapshots/main.py#L10
- https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: rds.amazonaws.com
selection_ispublic:
- responseElements.publiclyAccessible: "true"
selection_eventname:
- eventName: RestoreDBInstanceFromDBSnapshot
condition: all of them
eventSource: rds.amazonaws.com
responseElements.publiclyAccessible: "true"
eventName: RestoreDBInstanceFromDBSnapshot
condition: selection_source
falsepositives:
- unknown
level: high

6
rules/cloud/aws_root_account_usage.yml → rules/cloud/aws/aws_root_account_usage.yml
View File

@ -4,16 +4,16 @@ status: experimental
description: Detects AWS root account usage
author: vitaliy0x1
date: 2020/01/21
modified: 2020/09/01
modified: 2021/08/09
references:
- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
logsource:
service: cloudtrail
detection:
selection_usertype:
- userIdentity.type: Root
userIdentity.type: Root
selection_eventtype:
- eventType: AwsServiceEvent
eventType: AwsServiceEvent
condition: selection_usertype AND NOT selection_eventtype
falsepositives:
- AWS Tasks That Require AWS Account Root User Credentials https://docs.aws.amazon.com/general/latest/gr/aws_tasks-that-require-root.html

25
rules/cloud/aws/aws_route_53_domain_transferred_lock_disabled.yml Normal file
View File

@ -0,0 +1,25 @@
title: AWS Route 53 Domain Transfer Lock Disabled
id: 3940b5f1-3f46-44aa-b746-ebe615b879e0
description: Detects when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.
author: Elastic, Austin Songer @austinsonger
status: experimental
date: 2021/07/22
references:
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html
- https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: route53.amazonaws.com
eventName: DisableDomainTransferLock
condition: selection
level: low
tags:
- attack.persistence
- attack.credential_access
- attack.t1098
falsepositives:
- A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

22
rules/cloud/aws/aws_route_53_domain_transferred_to_another_account.yml Normal file
View File

@ -0,0 +1,22 @@
title: AWS Route 53 Domain Transferred to Another Account
id: b056de1a-6e6e-4e40-a67e-97c9808cf41b
description: Detects when a request has been made to transfer a Route 53 domain to another AWS account.
author: Elastic, Austin Songer @austinsonger
status: experimental
date: 2021/07/22
references:
- https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
logsource:
service: cloudtrail
detection:
selection:
eventSource: route53.amazonaws.com
eventName: TransferDomainToAnotherAwsAccount
condition: selection
tags:
- attack.persistence
- attack.credential_access
- attack.t1098
falsepositives:
- A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: low

35
rules/cloud/aws/aws_s3_data_management_tampering.yml Normal file
View File

@ -0,0 +1,35 @@
title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
description: Detects when a user tampers with S3 data management in Amazon Web Services.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/19
references:
- https://github.com/elastic/detection-rules/pull/1145/files
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: s3.amazonaws.com
eventName:
- PutBucketLogging
- PutBucketWebsite
- PutEncryptionConfiguration
- PutLifecycleConfiguration
- PutReplicationConfiguration
- ReplicateObject
- RestoreObject
condition: selection
level: low
tags:
- attack.exfiltration
- attack.t1537
falsepositives:
- A S3 configuration change may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. S3 configuration change from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

29
rules/cloud/aws/aws_securityhub_finding_evasion.yml Normal file
View File

@ -0,0 +1,29 @@
title: AWS SecurityHub Findings Evasion
id: a607e1fe-74bf-4440-a3ec-b059b9103157
status: stable
description: Detects the modification of the findings on SecurityHub.
author: Sittikorn S
date: 2021/06/28
references:
- https://docs.aws.amazon.com/cli/latest/reference/securityhub/
tags:
- attack.defense_evasion
- attack.t1562
logsource:
service: cloudtrail
detection:
selection:
eventSource: securityhub.amazonaws.com
eventName:
- 'BatchUpdateFindings'
- 'DeleteInsight'
- 'UpdateFindings'
- 'UpdateInsight'
condition: selection
fields:
- sourceIPAddress
- userIdentity.arn
falsepositives:
- System or Network administrator behaviors
- DEV, UAT, SAT environment. You should apply this rule with PROD environment only.
level: high

23
rules/cloud/aws/aws_snapshot_backup_exfiltration.yml Normal file
View File

@ -0,0 +1,23 @@
title: AWS Snapshot Backup Exfiltration
id: abae8fec-57bd-4f87-aff6-6e3db989843d
status: test
description: Detects the modification of an EC2 snapshot's permissions to enable access from another account
author: Darin Smith
date: 2021/05/17
modified: 2021/08/19
references:
- https://www.justice.gov/file/1080281/download
- https://attack.mitre.org/techniques/T1537/
logsource:
service: cloudtrail
detection:
selection_source:
eventSource: ec2.amazonaws.com
eventName: ModifySnapshotAttribute
condition: selection_source
falsepositives:
- Valid change to a snapshot's permissions
level: medium
tags:
- attack.exfiltration
- attack.t1537

29
rules/cloud/aws/aws_sts_assumerole_misuse.yml Normal file
View File

@ -0,0 +1,29 @@
title: AWS STS AssumeRole Misuse
id: 905d389b-b853-46d0-9d3d-dea0d3a3cd49
description: Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
modified: 2021/08/20
references:
- https://github.com/elastic/detection-rules/pull/1214
- https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: sts.amazonaws.com
eventName: AssumeRole
userIdentity.sessionContext.sessionIssuer.type: Role
condition: selection
level: low
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1548
- attack.t1550
- attack.t1550.001
falsepositives:
- AssumeRole may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- AssumeRole from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Automated processes that uses Terraform may lead to false positives.

26
rules/cloud/aws/aws_sts_getsessiontoken_misuse.yml Normal file
View File

@ -0,0 +1,26 @@
title: AWS STS GetSessionToken Misuse
id: b45ab1d2-712f-4f01-a751-df3826969807
description: Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:
- https://github.com/elastic/detection-rules/pull/1213
- https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
logsource:
service: cloudtrail
detection:
selection:
eventSource: sts.amazonaws.com
eventName: GetSessionToken
userIdentity.type: IAMUser
condition: selection
level: low
tags:
- attack.lateral_movement
- attack.privilege_escalation
- attack.t1548
- attack.t1550
- attack.t1550.001
falsepositives:
- GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

13
rules/cloud/aws_update_login_profile.yml → rules/cloud/aws/aws_update_login_profile.yml
View File

@ -1,21 +1,22 @@
title: AWS User Login Profile Was Modified
id: 055fb148-60f8-462d-ad16-26926ce050f1
status: experimental
description: An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. With this alert, it is used to detect anyone is changing password on behalf of other users.
description: |
An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup.
With this alert, it is used to detect anyone is changing password on behalf of other users.
author: toffeebr33k
date: 2020/11/21
date: 2021/08/09
references:
- https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation
logsource:
service: cloudtrail
detection:
selection_source:
- eventSource: iam.amazonaws.com
selection_eventname:
- eventName: UpdateLoginProfile
eventSource: iam.amazonaws.com
eventName: UpdateLoginProfile
filter:
userIdentity.arn|contains: responseElements.accessKey.userName
condition: all of selection* and not filter
condition: selection_source and not filter
fields:
- userIdentity.arn
- responseElements.accessKey.userName

26
rules/cloud/azure/azure_aadhybridhealth_adfs_new_server.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
description: |
This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
status: experimental
date: 2021/08/26
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
tags:
- attack.defense_evasion
- attack.t1578
references:
- https://o365blog.com/post/hybridhealthagent/
logsource:
service: AzureActivity
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
falsepositives:
- legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium

26
rules/cloud/azure/azure_aadhybridhealth_adfs_service_delete.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
description: |
This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
status: experimental
date: 2021/08/26
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
tags:
- attack.defense_evasion
- attack.t1578.003
references:
- https://o365blog.com/post/hybridhealthagent/
logsource:
service: AzureActivity
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
condition: selection
falsepositives:
- legitimate AAD Health AD FS service instances being deleted in a tenant
level: medium

23
rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Application Gateway Modified or Deleted
id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
description: Identifies when a application gateway is modified or deleted.
author: Austin Songer
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Application gateway being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Application Security Group Modified or Deleted
id: 835747f1-9329-40b5-9cc3-97d465754ce6
description: Identifies when a application security group is modified or deleted.
author: Austin Songer
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Application security group being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

26
rules/cloud/azure/azure_container_registry_created_or_deleted.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
description: Detects when a Container Registry is created or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
condition: selection
level: low
tags:
- attack.impact
falsepositives:
- Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

20
rules/cloud/azure/azure_creating_number_of_resources_detection.yml Normal file
View File

@ -0,0 +1,20 @@
title: Number Of Resource Creation Or Deployment Activities
id: d2d901db-7a75-45a1-bc39-0cbf00812192
status: experimental
author: sawwinnnaung
date: 2020/05/07
description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
logsource:
service: AzureActivity
detection:
keywords:
- Microsoft.Compute/virtualMachines/write
- Microsoft.Resources/deployments/write
condition: keywords
level: medium
falsepositives:
- Valid change
tags:
- attack.t1098

23
rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure DNS Zone Modified or Deleted
id: af6925b0-8826-47f1-9324-337507a0babd
description: Identifies when DNS zone is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
logsource:
service: azure.activitylogs
detection:
selection:
properties.message|startswith: MICROSOFT.NETWORK/DNSZONES
properties.message|endswith:
- /WRITE
- /DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

22
rules/cloud/azure/azure_firewall_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,22 @@
title: Azure Firewall Modified or Deleted
id: 512cf937-ea9b-4332-939c-4c2c94baadcd
description: Identifies when a firewall is created, modified, or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

26
rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Firewall Rule Collection Modified or Deleted
id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

19
rules/cloud/azure/azure_granting_permission_detection.yml Normal file
View File

@ -0,0 +1,19 @@
title: Granting Of Permissions To An Account
id: a622fcd2-4b5a-436a-b8a2-a4171161833c
status: experimental
author: sawwinnnaung
date: 2020/05/07
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
logsource:
service: AzureActivity
detection:
keywords:
- Microsoft.Authorization/roleAssignments/write
condition: keywords
level: medium
falsepositives:
- Valid change
tags:
- attack.t1098

33
rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,33 @@
title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
description: Identifies when a Keyvault Key is modified or deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
falsepositives:
- Key being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

28
rules/cloud/azure/azure_keyvault_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,28 @@
title: Azure Key Vault Modified or Deleted.
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
description: Identifies when a key vault is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
- MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
falsepositives:
- Key Vault being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

32
rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,32 @@
title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
description: Identifies when secrets are modified or deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

27
rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml Normal file
View File

@ -0,0 +1,27 @@
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
description: Detects when a Azure Kubernetes Cluster is created or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
condition: selection
level: low
tags:
- attack.impact
falsepositives:
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/azure/azure_kubernetes_events_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
logsource:
service: azure.activitylogs
detection:
selection_operation_name:
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
condition: selection_operation_name
level: medium
tags:
- attack.defense_evasion
- attack.t1562
- attack.t1562.001
falsepositives:
- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

29
rules/cloud/azure/azure_kubernetes_network_policy_change.yml Normal file
View File

@ -0,0 +1,29 @@
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
falsepositives:
- Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

21
rules/cloud/azure/azure_kubernetes_pods_deleted.yml Normal file
View File

@ -0,0 +1,21 @@
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
description: Identifies the deletion of Azure Kubernetes Pods.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
logsource:
service: azure.activitylogs
detection:
selection_operation_name:
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection_operation_name
level: medium
tags:
- attack.impact
falsepositives:
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

32
rules/cloud/azure/azure_kubernetes_role_access.yml Normal file
View File

@ -0,0 +1,32 @@
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
description: Identifies when ClusterRoles/Roles are being modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

30
rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,30 @@
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
falsepositives:
- RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

27
rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml Normal file
View File

@ -0,0 +1,27 @@
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

27
rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,27 @@
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
description: Identifies when a service account is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

24
rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,24 @@
title: Azure Firewall Rule Configuration Modified or Deleted
id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067
description: Identifies when a Firewall Rule Configuration is Modified or Deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

26
rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Point-to-site VPN Modified or Deleted
id: d9557b75-267b-4b43-922f-a775e2d1f792
description: Identifies when a Point-to-site VPN is Modified or Deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

26
rules/cloud/azure/azure_network_security_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,26 @@
title: Azure Network Security Configuration Modified or Deleted
id: d22b4df4-5a67-4859-a578-8c9a0b5af9df
description: Identifies when a network security configuration is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

31
rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,31 @@
title: Azure Virtual Network Device Modified or Deleted
id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE
- MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE
- MICROSOFT.NETWORK/VIRTUALHUBS/DELETE
- MICROSOFT.NETWORK/VIRTUALHUBS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

25
rules/cloud/azure/azure_rare_operations.yml Normal file
View File

@ -0,0 +1,25 @@
title: Rare Subscription-level Operations In Azure
id: c1182e02-49a3-481c-b3de-0fadc4091488
status: experimental
author: sawwinnnaung
date: 2020/05/07
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
references:
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
logsource:
service: AzureActivity
detection:
keywords:
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
- Microsoft.Maps/accounts/listKeys/action
- Microsoft.Media/mediaservices/listKeys/action
- Microsoft.CognitiveServices/accounts/listKeys/action
- Microsoft.Storage/storageAccounts/listKeys/action
- Microsoft.Compute/snapshots/write
- Microsoft.Network/networkSecurityGroups/write
condition: keywords
level: medium
falsepositives:
- Valid change
tags:
- attack.t1003

22
rules/cloud/azure/azure_suppression_rule_created.yml Normal file
View File

@ -0,0 +1,22 @@
title: Azure Suppression Rule Created
id: 92cc3e5d-eb57-419d-8c16-5c63f325a401
description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
author: Austin Songer
status: experimental
date: 2021/08/16
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Suppression Rule being created may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

25
rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,25 @@
title: Azure Virtual Network Modified or Deleted
id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f
description: Identifies when a Virtual Network is modified or deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message|startswith:
- MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/
- MICROSOFT.NETWORK/VIRTUALNETWORKS/
properties.message|endswith:
- /WRITE
- /DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

22
rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,22 @@
title: Azure VPN Connection Modified or Deleted
id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3
description: Identifies when a VPN connection is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
logsource:
service: azure.activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

22
rules/cloud/gcp/gcp_bucket_enumeration.yml Normal file
View File

@ -0,0 +1,22 @@
title: Google Cloud Storage Buckets Enumeration
id: e2feb918-4e77-4608-9697-990a1aaf74c3
description: Detects when storage bucket is enumerated in Google Cloud.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/14
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.list
- storage.buckets.listChannels
condition: selection
level: low
tags:
- attack.discovery
falsepositives:
- Storage Buckets being enumerated may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets enumerated from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

24
rules/cloud/gcp/gcp_bucket_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,24 @@
title: Google Cloud Storage Buckets Modified or Deleted
id: 4d9f2ee2-c903-48ab-b9c1-8c0f474913d0
description: Detects when storage bucket is modified or deleted in Google Cloud.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/14
references:
- https://cloud.google.com/storage/docs/json_api/v1/buckets
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- storage.buckets.delete
- storage.buckets.insert
- storage.buckets.update
- storage.buckets.patch
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Storage Buckets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Storage Buckets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

20
rules/cloud/gcp/gcp_dlp_re-identifies_sensitive_information.yml Normal file
View File

@ -0,0 +1,20 @@
title: Google Cloud Re-identifies Sensitive Information.
id: 234f9f48-904b-4736-a34c-55d23919e4b7
description: Identifies when sensitive information is re-identified in google Cloud.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/15
references:
- https://cloud.google.com/dlp/docs/reference/rest/v2/projects.content/reidentify
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name: projects.content.reidentify
condition: selection
level: medium
tags:
- attack.impact
- attack.t1565
falsepositives:
- Unknown

22
rules/cloud/gcp/gcp_dns_zone_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,22 @@
title: Google Cloud DNS Zone Modified or Deleted
id: 28268a8f-191f-4c17-85b2-f5aa4fa829c3
description: Identifies when a DNS Zone is modified or deleted in Google Cloud.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/15
references:
- https://cloud.google.com/dns/docs/reference/v1/managedZones
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- Dns.ManagedZones.Delete
- Dns.ManagedZones.Update
- Dns.ManagedZones.Patch
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Unknown

26
rules/cloud/gcp/gcp_firewall_rule_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,26 @@
title: Google Cloud Firewall Modified or Deleted
id: fe513c69-734c-4d4a-8548-ac5f609be82b
description: Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/13
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.Firewalls.html
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- v*.Compute.Firewalls.Delete
- v*.Compute.Firewalls.Patch
- v*.Compute.Firewalls.Update
- v*.Compute.Firewalls.Insert
condition: selection
level: medium
tags:
- attack.defense_evasion
- attack.t1562
falsepositives:
- Firewall rules being modified or deleted may be performed by a system administrator. Verify that the firewall configuration change was expected.
- Exceptions can be added to this rule to filter expected behavior.

28
rules/cloud/gcp/gcp_full_network_traffic_packet_capture.yml Normal file
View File

@ -0,0 +1,28 @@
title: Google Full Network Traffic Packet Capture
id: 980a7598-1e7f-4962-9372-2d754c930d0e
description: Identifies potential full network packet capture in gcp. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/13
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
- https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- v*.Compute.PacketMirrorings.Get
- v*.Compute.PacketMirrorings.Delete
- v*.Compute.PacketMirrorings.Insert
- v*.Compute.PacketMirrorings.Patch
- v*.Compute.PacketMirrorings.List
- v*.Compute.PacketMirrorings.aggregatedList
condition: selection
level: medium
tags:
- attack.collection
- attack.t1074
falsepositives:
- Full Network Packet Capture may be done by a system or network administrator.
- If known behavior is causing false positives, it can be exempted from the rule.

32
rules/cloud/gcp/gcp_kubernetes_rolebinding.yml Normal file
View File

@ -0,0 +1,32 @@
title: Google Cloud Kubernetes RoleBinding
id: 0322d9f2-289a-47c2-b5e1-b63c90901a3e
description: Detects the creation or patching of potential malicious RoleBinding. This includes RoleBindings and ClusterRoleBinding.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/09
references:
- https://github.com/elastic/detection-rules/pull/1267
- https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole
- https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control
- https://kubernetes.io/docs/reference/access-authn-authz/rbac/
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.authorization.rbac.v*.clusterrolebindings.create
- io.k8s.authorization.rbac.v*.rolebindings.create
- io.k8s.authorization.rbac.v*.clusterrolebindings.patch
- io.k8s.authorization.rbac.v*.rolebindings.patch
- io.k8s.authorization.rbac.v*.clusterrolebindings.update
- io.k8s.authorization.rbac.v*.rolebindings.update
- io.k8s.authorization.rbac.v*.clusterrolebindings.delete
- io.k8s.authorization.rbac.v*.rolebindings.delete
condition: selection
level: medium
tags:
- attack.credential_access
falsepositives:
- RoleBindings and ClusterRoleBinding being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBindings and ClusterRoleBinding modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

24
rules/cloud/gcp/gcp_kubernetes_secrets_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,24 @@
title: Google Cloud Kubernetes Secrets Modified or Deleted
id: 2f0bae2d-bf20-4465-be86-1311addebaa3
description: Identifies when the Secrets are Modified or Deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/09
references:
- https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- io.k8s.core.v*.secrets.create
- io.k8s.core.v*.secrets.update
- io.k8s.core.v*.secrets.patch
- io.k8s.core.v*.secrets.delete
condition: selection
level: medium
tags:
- attack.credential_access
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/gcp/gcp_service_account_disabled_or_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Google Cloud Service Account Disabled or Deleted
id: 13f81a90-a69c-4fab-8f07-b5bb55416a9f
description: Identifies when a service account is disabled or deleted in Google Cloud.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/14
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.disable
- .serviceAccounts.delete
condition: selection
level: medium
tags:
- attack.impact
- attack.t1531
falsepositives:
- Service Account being disabled or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account disabled or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

25
rules/cloud/gcp/gcp_service_account_modified.yml Normal file
View File

@ -0,0 +1,25 @@
title: Google Cloud Service Account Modified
id: 6b67c12e-5e40-47c6-b3b0-1e6b571184cc
description: Identifies when a service account is modified in Google Cloud.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/14
references:
- https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name|endswith:
- .serviceAccounts.patch
- .serviceAccounts.create
- .serviceAccounts.update
- .serviceAccounts.enable
- .serviceAccounts.undelete
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Service Account being modified may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service Account modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

23
rules/cloud/gcp/gcp_vpn_tunnel_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,23 @@
title: Google Cloud VPN Tunnel Modified or Deleted
id: 99980a85-3a61-43d3-ac0f-b68d6b4797b1
description: Identifies when a VPN Tunnel Modified or Deleted in Google Cloud.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
references:
- https://any-api.com/googleapis_com/compute/docs/vpnTunnels
logsource:
service: gcp.audit
detection:
selection:
gcp.audit.method_name:
- compute.vpnTunnels.insert
- compute.vpnTunnels.delete
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- VPN Tunnel being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Tunnel modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

24
rules/cloud/gworkspace/gworkspace_application_removed.yml Normal file
View File

@ -0,0 +1,24 @@
title: Google Workspace Application Removed
id: ee2803f0-71c8-4831-b48b-a1fc57601ee4
description: Detects when an an application is removed from Google Workspace.
author: Austin Songer
status: experimental
date: 2021/08/26
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- REMOVE_APPLICATION
- REMOVE_APPLICATION_FROM_WHITELIST
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Application being removed may be performed by a System Administrator.

23
rules/cloud/gworkspace/gworkspace_granted_domain_api_access.yml Normal file
View File

@ -0,0 +1,23 @@
title: Google Workspace Granted Domain API Access
id: 04e2a23a-9b29-4a5c-be3a-3542e3f982ba
description: Detects when an API access service account is granted domain authority.
author: Austin Songer
status: experimental
date: 2021/08/23
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings#AUTHORIZE_API_CLIENT_ACCESS
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: AUTHORIZE_API_CLIENT_ACCESS
condition: selection
level: medium
tags:
- attack.persistence
- attack.t1098
falsepositives:
- Unknown

28
rules/cloud/gworkspace/gworkspace_mfa_disabled.yml Normal file
View File

@ -0,0 +1,28 @@
title: Google Workspace MFA Disabled
id: 780601d1-6376-4f2a-884e-b8d45599f78c
description: Detects when multi-factor authentication (MFA) is disabled.
author: Austin Songer
status: experimental
date: 2021/08/26
modified: 2021/08/29
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- ENFORCE_STRONG_AUTHENTICATION
- ALLOW_STRONG_AUTHENTICATION
eventValue:
new_value: 'false'
condition: all of them
level: medium
tags:
- attack.impact
falsepositives:
- MFA may be disabled and performed by a system administrator.

25
rules/cloud/gworkspace/gworkspace_role_modified_or_deleted.yml Normal file
View File

@ -0,0 +1,25 @@
title: Google Workspace Role Modified or Deleted
id: 6aef64e3-60c6-4782-8db3-8448759c714e
description: Detects when an a role is modified or deleted in Google Workspace.
author: Austin Songer
status: experimental
date: 2021/08/24
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- DELETE_ROLE
- RENAME_ROLE
- UPDATE_ROLE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Unknown

22
rules/cloud/gworkspace/gworkspace_role_privilege_deleted.yml Normal file
View File

@ -0,0 +1,22 @@
title: Google Workspace Role Privilege Deleted
id: bf638ef7-4d2d-44bb-a1dc-a238252e6267
description: Detects when an a role privilege is deleted in Google Workspace.
author: Austin Songer
status: experimental
date: 2021/08/24
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-delegated-admin-settings
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName: REMOVE_PRIVILEGE
condition: selection
level: medium
tags:
- attack.impact
falsepositives:
- Unknown

24
rules/cloud/gworkspace/gworkspace_user_granted_admin_privileges.yml Normal file
View File

@ -0,0 +1,24 @@
title: Google Workspace User Granted Admin Privileges
id: 2d1b83e4-17c6-4896-a37b-29140b40a788
description: Detects when an Google Workspace user is granted admin privileges.
author: Austin Songer
status: experimental
date: 2021/08/23
references:
- https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3
- https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE
logsource:
service: google_workspace.admin
detection:
selection:
eventService: admin.googleapis.com
eventName:
- GRANT_DELEGATED_ADMIN_PRIVILEGES
- GRANT_ADMIN_PRIVILEGE
condition: selection
level: medium
tags:
- attack.persistence
- attack.t1098
falsepositives:
- Google Workspace admin role privileges, may be modified by system administrators.

23
rules/cloud/m365/microsoft365_activity_by_terminated_user.yml Normal file
View File

@ -0,0 +1,23 @@
title: Activity Performed by Terminated User
id: 2e669ed8-742e-4fe5-b3c4-5a59b486c2ee
status: experimental
description: Detects when a Microsoft Cloud App Security reported for users whose account were terminated in Azure AD, but still perform activities in other platforms such as AWS or Salesforce. This is especially relevant for users who use another account to manage resources, since these accounts are often not terminated when a user leaves the company.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Activity performed by terminated user"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.impact

24
rules/cloud/m365/microsoft365_activity_from_anonymous_ip_addresses.yml Normal file
View File

@ -0,0 +1,24 @@
title: Activity from Anonymous IP Addresses
id: d8b0a4fe-07a8-41be-bd39-b14afa025d95
status: experimental
description: Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Activity from anonymous IP addresses"
status: success
condition: selection
falsepositives:
- User using a VPN or Proxy
level: medium
tags:
- attack.command_and_control
- attack.t1573

24
rules/cloud/m365/microsoft365_activity_from_infrequent_country.yml Normal file
View File

@ -0,0 +1,24 @@
title: Activity from Infrequent Country
id: 0f2468a2-5055-4212-a368-7321198ee706
status: experimental
description: Detects when a Microsoft Cloud App Security reported when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Activity from infrequent country"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.command_and_control
- attack.t1573

24
rules/cloud/m365/microsoft365_data_exfiltration_to_unsanctioned_app.yml Normal file
View File

@ -0,0 +1,24 @@
title: Data Exfiltration to Unsanctioned Apps
id: 2b669496-d215-47d8-bd9a-f4a45bf07cda
status: experimental
description: Detects when a Microsoft Cloud App Security reported when a user or IP address uses an app that is not sanctioned to perform an activity that resembles an attempt to exfiltrate information from your organization.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Data exfiltration to unsanctioned apps"
status: success
condition: selection
falsepositives:
-
level: medium
tags:
- attack.exfiltration
- attack.t1537

24
rules/cloud/m365/microsoft365_from_suspicious_ip_addresses.yml Normal file
View File

@ -0,0 +1,24 @@
title: Activity from Suspicious IP Addresses
id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
status: experimental
description: Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatDetection
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Activity from suspicious IP addresses"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.command_and_control
- attack.t1573

27
rules/cloud/m365/microsoft365_impossible_travel_activity.yml Normal file
View File

@ -0,0 +1,27 @@
title: Microsoft 365 - Impossible Travel Activity
id: d7eab125-5f94-43df-8710-795b80fa1189
status: experimental
description: Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.
author: Austin Songer @austinsonger
date: 2020/07/06
modified: 2020/07/06
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: Office365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Impossible travel activity"
status: success
condition: selection
falsepositives:
-
level: medium
tags:
- attack.initial_access
- attack.t1078

24
rules/cloud/m365/microsoft365_logon_from_risky_ip_address.yml Normal file
View File

@ -0,0 +1,24 @@
title: Logon from a Risky IP Address
id: c191e2fa-f9d6-4ccf-82af-4f2aba08359f
status: experimental
description: Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Log on from a risky IP address"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.initial_access
- attack.t1078

24
rules/cloud/m365/microsoft365_potential_ransomware_activity.yml Normal file
View File

@ -0,0 +1,24 @@
title: Microsoft 365 - Potential Ransomware Activity
id: bd132164-884a-48f1-aa2d-c6d646b04c69
status: experimental
description: Detects when a Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware.
author: austinsonger
date: 2021/08/19
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: Microsoft365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Potential ransomware activity"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.impact
- attack.t1486

24
rules/cloud/m365/microsoft365_suspicious_inbox_forwarding.yml Normal file
View File

@ -0,0 +1,24 @@
title: Suspicious Inbox Forwarding
id: 6c220477-0b5b-4b25-bb90-66183b4089e8
status: experimental
description: Detects when a Microsoft Cloud App Security reported suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
author: Austin Songer @austinsonger
date: 2021/08/22
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Suspicious inbox forwarding"
status: success
condition: selection
falsepositives:
- Unknown
level: low
tags:
- attack.exfiltration
- attack.t1020

23
rules/cloud/m365/microsoft365_suspicious_oauth_app_file_download_activities.yml Normal file
View File

@ -0,0 +1,23 @@
title: Suspicious OAuth App File Download Activities
id: ee111937-1fe7-40f0-962a-0eb44d57d174
status: experimental
description: Detects when a Microsoft Cloud App Security reported when an app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.
author: Austin Songer @austinsonger
date: 2021/08/23
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: m365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Suspicious OAuth app file download activities"
status: success
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.exfiltration

24
rules/cloud/m365/microsoft365_unusual_volume_of_file_deletion.yml Normal file
View File

@ -0,0 +1,24 @@
title: Microsoft 365 - Unusual Volume of File Deletion
id: 78a34b67-3c39-4886-8fb4-61c46dc18ecd
status: experimental
description: Detects when a Microsoft Cloud App Security reported a user has deleted a unusual a large volume of files.
author: austinsonger
date: 2021/08/19
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: Microsoft365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "Unusual volume of file deletion"
status: success
condition: selection
falsepositives:
-
level: medium
tags:
- attack.impact
- attack.t1485

24
rules/cloud/m365/microsoft365_user_restricted_from_sending_email.yml Normal file
View File

@ -0,0 +1,24 @@
title: Microsoft 365 - User Restricted from Sending Email
id: ff246f56-7f24-402a-baca-b86540e3925c
status: experimental
description: Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.
author: austinsonger
date: 2021/08/19
references:
- https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
logsource:
category: ThreatManagement
service: Microsoft365
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: "User restricted from sending email"
status: success
condition: selection
falsepositives:
-
level: medium
tags:
- attack.initial_access
- attack.t1199

88
rules/compliance/cleartext_protocols.yml
View File

@ -13,49 +13,49 @@ references:
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.5
- CSC14
- CSC14.4
- CSC16
- CSC16.5
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- NIST CSF 1.1 PR.AC-1
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 PR.DS-1
- NIST CSF 1.1 PR.DS-2
- ISO 27002-2013 A.9.2.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- ISO 27002-2013 A.8.3.1
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.10.1.1
- PCI DSS 3.2 2.1
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
- PCI DSS 3.2 8.8
- PCI DSS 3.2 1.3
- PCI DSS 3.2 1.4
- PCI DSS 3.2 4.3
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
# tags:
# - CSC4
# - CSC4.5
# - CSC14
# - CSC14.4
# - CSC16
# - CSC16.5
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - NIST CSF 1.1 PR.AC-1
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 PR.DS-1
# - NIST CSF 1.1 PR.DS-2
# - ISO 27002-2013 A.9.2.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - ISO 27002-2013 A.8.3.1
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.10.1.1
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7
# - PCI DSS 3.2 8.8
# - PCI DSS 3.2 1.3
# - PCI DSS 3.2 1.4
# - PCI DSS 3.2 4.3
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
---
logsource:
product: netflow
@ -81,7 +81,7 @@ detection:
condition: selection
---
logsource:
product: firewall
category: firewall
detection:
selection1:
destination.port:

52
rules/compliance/default_credentials_usage.yml
View File

@ -81,29 +81,29 @@ detection:
falsepositives:
- unknown
level: medium
tags:
- CSC4
- CSC4.2
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
# tags:
# - CSC4
# - CSC4.2
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7

52
rules/compliance/group_modification_logging.yml
View File

@ -33,29 +33,29 @@ detection:
falsepositives:
- unknown
level: low
tags:
- CSC4
- CSC4.8
- NIST CSF 1.1 PR.AC-4
- NIST CSF 1.1 PR.AT-2
- NIST CSF 1.1 PR.MA-2
- NIST CSF 1.1 PR.PT-3
- ISO 27002-2013 A.9.1.1
- ISO 27002-2013 A.9.2.2
- ISO 27002-2013 A.9.2.3
- ISO 27002-2013 A.9.2.4
- ISO 27002-2013 A.9.2.5
- ISO 27002-2013 A.9.2.6
- ISO 27002-2013 A.9.3.1
- ISO 27002-2013 A.9.4.1
- ISO 27002-2013 A.9.4.2
- ISO 27002-2013 A.9.4.3
- ISO 27002-2013 A.9.4.4
- PCI DSS 3.2 2.1
- PCI DSS 3.2 7.1
- PCI DSS 3.2 7.2
- PCI DSS 3.2 7.3
- PCI DSS 3.2 8.1
- PCI DSS 3.2 8.2
- PCI DSS 3.2 8.3
- PCI DSS 3.2 8.7
# tags:
# - CSC4
# - CSC4.8
# - NIST CSF 1.1 PR.AC-4
# - NIST CSF 1.1 PR.AT-2
# - NIST CSF 1.1 PR.MA-2
# - NIST CSF 1.1 PR.PT-3
# - ISO 27002-2013 A.9.1.1
# - ISO 27002-2013 A.9.2.2
# - ISO 27002-2013 A.9.2.3
# - ISO 27002-2013 A.9.2.4
# - ISO 27002-2013 A.9.2.5
# - ISO 27002-2013 A.9.2.6
# - ISO 27002-2013 A.9.3.1
# - ISO 27002-2013 A.9.4.1
# - ISO 27002-2013 A.9.4.2
# - ISO 27002-2013 A.9.4.3
# - ISO 27002-2013 A.9.4.4
# - PCI DSS 3.2 2.1
# - PCI DSS 3.2 7.1
# - PCI DSS 3.2 7.2
# - PCI DSS 3.2 7.3
# - PCI DSS 3.2 8.1
# - PCI DSS 3.2 8.2
# - PCI DSS 3.2 8.3
# - PCI DSS 3.2 8.7

27
rules/compliance/host_without_firewall.yml
View File

@ -4,27 +4,28 @@ status: stable
description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.
author: Alexandr Yampolskyi, SOC Prime
date: 2019/03/19
modified: 2021/05/30
references:
- https://www.cisecurity.org/controls/cis-controls-list/
- https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
logsource:
product: Qualys
product: qualys
detection:
selection:
event.category: Security Policy
host.scan.vuln_name: Firewall Product Not Detected*
condition: selection
level: low
tags:
- CSC9
- CSC9.4
- NIST CSF 1.1 PR.AC-5
- NIST CSF 1.1 PR.AC-6
- NIST CSF 1.1 PR.AC-7
- NIST CSF 1.1 DE.AE-1
- ISO 27002-2013 A.9.1.2
- ISO 27002-2013 A.13.2.1
- ISO 27002-2013 A.13.2.2
- ISO 27002-2013 A.14.1.2
- PCI DSS 3.2 1.4
# tags:
# - CSC9
# - CSC9.4
# - NIST CSF 1.1 PR.AC-5
# - NIST CSF 1.1 PR.AC-6
# - NIST CSF 1.1 PR.AC-7
# - NIST CSF 1.1 DE.AE-1
# - ISO 27002-2013 A.9.1.2
# - ISO 27002-2013 A.13.2.1
# - ISO 27002-2013 A.13.2.2
# - ISO 27002-2013 A.14.1.2
# - PCI DSS 3.2 1.4

Some files were not shown because too many files have changed in this diff Show More