From 7392b8728a7bdd6c3a3c9ea4f86f12ec8f1848d3 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 7 Nov 2024 14:09:48 -0500 Subject: [PATCH 1/6] adding investigation fields to specific aws rules --- detection_rules/etc/non-ecs-schema.json | 2 +- ...m_sendcommand_with_command_parameters.toml | 23 ++++++++++++- ...se_evasion_cloudtrail_logging_deleted.toml | 23 +++++++++++-- ...y_ec2_multi_region_describe_instances.toml | 11 +++++- ..._multiple_discovery_api_calls_via_cli.toml | 8 ++++- ...overy_new_terms_sts_getcalleridentity.toml | 31 ++++++++++++----- ...command_document_created_by_rare_user.toml | 32 +++++++++++++---- ...n_sns_email_subscription_by_rare_user.toml | 18 +++++++++- ..._s3_bucket_enumeration_or_brute_force.toml | 9 ++++- ..._group_configuration_change_detection.toml | 21 +++++++++++- ...user_via_assumed_role_on_ec2_instance.toml | 17 +++++++++- ..._created_access_keys_for_another_user.toml | 34 +++++++++++++++++-- ...stratoraccess_policy_attached_to_user.toml | 32 +++++++++++++++-- ...tomer_managed_policy_attached_to_role.toml | 19 +++++++++-- ...escalation_role_assumption_by_service.toml | 18 +++++++++- ...ge_escalation_role_assumption_by_user.toml | 21 +++++++++++- ...attempts_to_use_denied_models_by_user.toml | 10 +++++- ...ation_exception_errors_by_single_user.toml | 10 +++++- ...e_iam_instance_request_to_iam_service.toml | 22 +++++++++++- 19 files changed, 325 insertions(+), 36 deletions(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 1b3b24bebb2..ef82fd53792 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -152,7 +152,7 @@ "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword", "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword", "aws.cloudtrail.flattened.request_parameters.roleName": "keyword", - "aws.cloudtrail.flattened.request_paramters.policyArn": "keyword", + "aws.cloudtrail.flattened.request_parameters.policyArn": "keyword", "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword" }, "logs-azure.signinlogs-*": { diff --git a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml index 15ff7f8278e..a25013b77d2 100644 --- a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml +++ b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml @@ -2,7 +2,9 @@ creation_date = "2022/09/03" integration = ["endpoint", "auditd_manager"] maturity = "production" -updated_date = "2024/09/23" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] @@ -87,6 +89,25 @@ and process.args: ( ) ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "cloud.region", + "event.type", + "host.os.type", + "host.os.kernel", + "process.entry_leader.executable", + "process.entry_leader.group.name", + "process.entry_leader.real_user.name", + "process.entry_leader.working_directory", + "process.parent.executable", + "process.executable", + "process.hash.sha256", + "process.parent.command_line", + "process.command_line", + "process.args", + "process.user.name" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 0bbea8b848a..6355c37f75d 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] @@ -86,9 +88,26 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success +event.dataset:aws.cloudtrail + and event.provider:cloudtrail.amazonaws.com + and event.action:DeleteTrail + and event.outcome:success ''' +[rule.investigation_fields] +field_names = [ + "event.action", + "event.outcome", + "cloud.region", + "user_agent.original", + "user.name", + "related.user", + "source.address", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.flattened.request_parameters.name", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.arn" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml index 711d3d688cb..fbbb99e91c8 100644 --- a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml +++ b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml @@ -2,7 +2,9 @@ creation_date = "2024/08/26" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] @@ -107,6 +109,13 @@ from logs-aws.cloudtrail-* | sort target_time_window desc ''' +[rule.investigation_fields] +field_names = [ + "region_count", + "window_count", + "target_time_window", + "aws.cloudtrail.user_identity.arn" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml b/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml index 8edc29e9864..a3e05953da5 100644 --- a/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml +++ b/rules/integrations/aws/discovery_ec2_multiple_discovery_api_calls_via_cli.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" min_stack_version = "8.13.0" -updated_date = "2024/11/04" +updated_date = "2024/11/07" [rule] author = ["Elastic"] @@ -133,6 +133,12 @@ from logs-aws.cloudtrail* | sort unique_api_count desc ''' +[rule.investigation_fields] +field_names = [ + "time_window", + "aws.cloudtrail.user_identity.arn", + "unique_api_count" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index ac3e56e3899..c55e7f74404 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -2,19 +2,21 @@ creation_date = "2024/05/24" integration = ["aws"] maturity = "production" -updated_date = "2024/09/30" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] description = """ -An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and -determine what account they are using. This rule looks for the first time an identity has called the -STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. +An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and +determine what account they are using. This rule looks for the first time an identity has called the +STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using. """ false_positives = [ """ - Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. + Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule. """, ] @@ -29,7 +31,7 @@ note = """## Triage and analysis ### Investigating AWS GetCallerIdentity API Called for the First Time AWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users. -The `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. +The `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. No permissions are required to run this operation and the same information is returned even when access is denied. This rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days. @@ -93,10 +95,23 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' -event.dataset: "aws.cloudtrail" and event.provider: "sts.amazonaws.com" and event.action: "GetCallerIdentity" -and not aws.cloudtrail.user_identity.type: "AssumedRole" +event.dataset: "aws.cloudtrail" + and event.provider: "sts.amazonaws.com" + and event.action: "GetCallerIdentity" + and event.outcome: "success" + and not aws.cloudtrail.user_identity.type: "AssumedRole" ''' +[rule.investigation_fields] +field_names = [ + "event.action", + "event.outcome", + "cloud.region", + "user_agent.original", + "user.name", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.arn" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml index 1818b53dd15..174169be0bd 100644 --- a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml +++ b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml @@ -2,16 +2,21 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2024/11/01" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] description = """ -Identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to unauthorized access, command and control, data exfiltration and more. +Identifies when an AWS Systems Manager (SSM) command document is created by a user who does not typically perform this +action. Adversaries may create SSM command documents to execute commands on managed instances, potentially leading to +unauthorized access, command and control, data exfiltration and more. """ false_positives = [ """ - Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized and the user is known before taking action. + Legitimate users may create SSM command documents for legitimate purposes. Ensure that the document is authorized + and the user is known before taking action. """, ] from = "now-9m" @@ -19,8 +24,7 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS SSM Command Document Created by Rare User" -note = """ -## Triage and Analysis +note = """## Triage and Analysis ### Investigating AWS SSM Command Document Created by Rare User @@ -55,7 +59,7 @@ For further guidance on managing and securing AWS Systems Manager in your enviro """ references = [ "https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_CreateDocument.html", - "https://docs.aws.amazon.com/systems-manager/latest/userguide/documents.html" + "https://docs.aws.amazon.com/systems-manager/latest/userguide/documents.html", ] risk_score = 21 rule_id = "50a2bdea-9876-11ef-89db-f661ea17fbcd" @@ -68,7 +72,7 @@ tags = [ "Data Source: AWS Systems Manager", "Resources: Investigation Guide", "Use Case: Threat Detection", - "Tactic: Execution" + "Tactic: Execution", ] timestamp_override = "event.ingested" type = "new_terms" @@ -81,6 +85,20 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.response_elements: *documentType=Command* ''' +[rule.investigation_fields] +field_names = [ + "event.action", + "event.outcome", + "cloud.region", + "related.user", + "user.name", + "user_agent.original", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type" +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml index ae249f70934..c6cd0cd1a40 100644 --- a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml +++ b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml @@ -2,7 +2,9 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" -updated_date = "2024/11/01" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] @@ -81,6 +83,20 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.request_parameters: *protocol=email* ''' +[rule.investigation_fields] +field_names = [ + "event.action", + "event.outcome", + "cloud.region", + "user_agent.original", + "user.name", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.flattened.request_parameters.protocol", + "aws.cloudtrail.flattened.request_parameters.topicArn", + "aws.cloudtrail.flattened.response_elements.subscriptionArn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.arn" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 8513689c4c3..3bb60a51065 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/05/01" maturity = "production" -updated_date = "2024/10/09" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" min_stack_version = "8.13.0" @@ -97,6 +97,13 @@ from logs-aws.cloudtrail* | where failed_requests > 40 ''' +[rule.investigation_fields] +field_names = [ + "failed_requests", + "tls.client.server_name", + "source.address", + "cloud.account.id" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 8c70b9fabe9..0128d558601 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic", "Austin Songer"] @@ -100,6 +102,23 @@ event.dataset: "aws.cloudtrail" and event.outcome: "success" ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "cloud.region", + "event.provider", + "event.action", + "event.outcome", + "related.user", + "user_agent.original", + "user.name", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "aws.cloudtrail.flattened.request_parameters.instanceId", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type" +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml index bd9ea86e22c..db177b854e1 100644 --- a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml @@ -2,7 +2,9 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2024/11/04" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] @@ -96,6 +98,19 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.user_identity.arn: *i-* ''' +[rule.investigation_fields] +field_names = [ + "event.action", + "event.outcome", + "cloud.region", + "related.user", + "user_agent.original", + "user.name", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index 89988bcd014..e852533e17a 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/06/13" integration = ["aws"] maturity = "production" -updated_date = "2024/10/09" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type in technical preview as of 8.13" min_stack_version = "8.13.0" @@ -104,9 +104,39 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index and event.action == "CreateAccessKey" and event.outcome == "success" and user.name != user.target.name -| keep @timestamp, event.provider, event.action, event.outcome, user.name, user.target.name +| keep + @timestamp, + cloud.region, + event.provider, + event.action, + event.outcome, + user.name, + user.target.name, + related.user, + user_agent.original, + aws.cloudtrail.request_parameters, + aws.cloudtrail.response_elements, + aws.cloudtrail.user_identity.arn, + aws.cloudtrail.user_identity.type, ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "cloud.region", + "event.provider", + "event.action", + "event.outcome", + "user.name", + "user.target.name", + "related.user", + "user_agent.original", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type" +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 0518c0b92fb..6e8f286032b 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2024/10/09" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type in technical preview as of 8.13." min_stack_version = "8.13.0" @@ -103,9 +103,37 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index | where event.provider == "iam.amazonaws.com" and event.action == "AttachUserPolicy" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}" | where policyName == "AdministratorAccess" -| keep @timestamp, event.provider, event.action, event.outcome, policyName, target.userName +| keep + @timestamp, + cloud.region, + event.provider, + event.action, + event.outcome, + policyName, + target.userName, + aws.cloudtrail.request_parameters, + aws.cloudtrail.user_identity.arn, + related.user, + user_agent.original, + user.name ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "cloud.region", + "event.provider", + "event.action", + "event.outcome", + "related.user", + "user_agent.original", + "user.name", + "policyName", + "target.userName", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.user_identity.arn" +] + [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 8bbbd1a4d6f..79b95cdd6d2 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -2,7 +2,9 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" -updated_date = "2024/11/04" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] @@ -94,9 +96,22 @@ event.dataset: "aws.cloudtrail" and event.provider: "iam.amazonaws.com" and event.action: "AttachRolePolicy" and event.outcome: "success" - and not aws.cloudtrail.flattened.request_paramters.policyArn: arn\:aws\:iam\:\:aws\:policy* + and not aws.cloudtrail.flattened.request_parameters.policyArn: arn\:aws\:iam\:\:aws\:policy* ''' +[rule.investigation_fields] +field_names = [ + "event.action", + "event.outcome", + "cloud.region", + "user_agent.original", + "user.name", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.flattened.request_parameters.policyArn", + "aws.cloudtrail.flattened.request_parameters.roleName", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index 8a417a91b93..24661a045da 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -2,7 +2,9 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic", "Austin Songer"] @@ -103,6 +105,20 @@ event.dataset: "aws.cloudtrail" ) ''' +[rule.investigation_fields] +field_names = [ + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.flattened.request_parameters.roleArn", + "aws.cloudtrail.flattened.request_parameters.roleSessionName", + "aws.cloudtrail.response_elements", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.invoked_by", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 99720156af8..5968308ebcb 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -2,7 +2,9 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] @@ -94,6 +96,23 @@ event.dataset: "aws.cloudtrail" and aws.cloudtrail.user_identity.type: ("AssumedRole" or "IAMUser") ''' +[rule.investigation_fields] +field_names = [ + "event.action", + "event.outcome", + "cloud.region", + "user.name", + "user_agent.original", + "source.address", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.flattened.request_parameters.roleArn", + "aws.cloudtrail.flattened.request_parameters.roleSessionName", + "aws.cloudtrail.response_elements", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type" +] [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml index 17aa3aae7e2..51c7ef6fc18 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2024/05/02" maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" min_stack_version = "8.13.0" @@ -85,3 +85,11 @@ from logs-aws_bedrock.invocation-* | where total_denials > 3 | sort total_denials desc ''' + +[rule.investigation_fields] +field_names = [ + "total_denials", + "user.id", + "gen_ai.request.model.id", + "cloud.account.id" +] diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml index c2f124cd5af..25afaa37968 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2024/09/11" integration = ["aws_bedrock"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully; integration in tech preview" min_stack_version = "8.13.0" @@ -92,3 +92,11 @@ from logs-aws_bedrock.invocation-* | stats total_denials = count(*) by target_time_window, user.id, cloud.account.id | where total_denials > 3 ''' + +[rule.investigation_fields] +field_names = [ + "total_denials", + "target_time_window", + "user.id", + "cloud.account.id" +] diff --git a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml index fcc0f8c20a1..23d532eab0b 100644 --- a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml +++ b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml @@ -3,7 +3,9 @@ bypass_bbr_timing = true creation_date = "2024/07/24" integration = ["aws"] maturity = "production" -updated_date = "2024/11/05" +updated_date = "2024/11/07" +min_stack_comments = "New fields added: investigation_fields" +min_stack_version = "8.11.0" [rule] author = ["Elastic"] @@ -64,6 +66,24 @@ any where event.dataset == "aws.cloudtrail" ) ''' +[rule.investigation_fields] +field_names = [ + "@timestamp", + "cloud.region", + "event.provider", + "event.action", + "event.outcome", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "related.user", + "source.address", + "user.name", + "user.id", + "user.target.name", + "user_agent.original" +] [[rule.threat]] framework = "MITRE ATT&CK" From 22d678528ac9fda6fed36bea37d254adac443654 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 7 Nov 2024 14:13:44 -0500 Subject: [PATCH 2/6] updated patch --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 10b2b57f8bc..c5aeba9a8bc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.1.3" +version = "0.1.4" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" From 972c77574bcb67dd597fad8d75d9b66342c84337 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 8 Nov 2024 12:39:52 -0500 Subject: [PATCH 3/6] removing min-stack requirements --- .../execution_aws_ssm_sendcommand_with_command_parameters.toml | 2 -- .../aws/defense_evasion_cloudtrail_logging_deleted.toml | 2 -- .../aws/discovery_ec2_multi_region_describe_instances.toml | 2 -- .../aws/discovery_new_terms_sts_getcalleridentity.toml | 2 -- .../execution_ssm_command_document_created_by_rare_user.toml | 2 -- .../aws/exfiltration_sns_email_subscription_by_rare_user.toml | 2 -- ...tence_ec2_security_group_configuration_change_detection.toml | 2 -- ...stence_iam_create_user_via_assumed_role_on_ec2_instance.toml | 2 -- ...escalation_iam_customer_managed_policy_attached_to_role.toml | 2 -- .../aws/privilege_escalation_role_assumption_by_service.toml | 2 -- .../aws/privilege_escalation_role_assumption_by_user.toml | 2 -- .../persistence_iam_instance_request_to_iam_service.toml | 2 -- 12 files changed, 24 deletions(-) diff --git a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml index a25013b77d2..e27ace70ab6 100644 --- a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml +++ b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml @@ -3,8 +3,6 @@ creation_date = "2022/09/03" integration = ["endpoint", "auditd_manager"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 6355c37f75d..7ff4200d04e 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -3,8 +3,6 @@ creation_date = "2020/05/26" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml index fbbb99e91c8..04d8cf10774 100644 --- a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml +++ b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml @@ -3,8 +3,6 @@ creation_date = "2024/08/26" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index c55e7f74404..18ebb789ee2 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -3,8 +3,6 @@ creation_date = "2024/05/24" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml index 174169be0bd..e4121616727 100644 --- a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml +++ b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml @@ -3,8 +3,6 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml index c6cd0cd1a40..b590a2402e0 100644 --- a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml +++ b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml @@ -3,8 +3,6 @@ creation_date = "2024/11/01" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 0128d558601..4c088058516 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -3,8 +3,6 @@ creation_date = "2021/05/05" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml index db177b854e1..f0df186138b 100644 --- a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml @@ -3,8 +3,6 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 79b95cdd6d2..b87efe1a742 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -3,8 +3,6 @@ creation_date = "2024/11/04" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index 24661a045da..b57d0f1ba27 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -3,8 +3,6 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 5968308ebcb..808059c8f7c 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -3,8 +3,6 @@ creation_date = "2024/11/05" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] diff --git a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml index 23d532eab0b..f4aef34d932 100644 --- a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml +++ b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml @@ -4,8 +4,6 @@ creation_date = "2024/07/24" integration = ["aws"] maturity = "production" updated_date = "2024/11/07" -min_stack_comments = "New fields added: investigation_fields" -min_stack_version = "8.11.0" [rule] author = ["Elastic"] From 7974922124bef82c4c2f1df3582501a11344bd8e Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 8 Nov 2024 13:06:33 -0500 Subject: [PATCH 4/6] removed user.name redundancy --- .../aws/defense_evasion_cloudtrail_logging_deleted.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 7ff4200d04e..7c85dba4bcd 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -99,7 +99,6 @@ field_names = [ "cloud.region", "user_agent.original", "user.name", - "related.user", "source.address", "aws.cloudtrail.request_parameters", "aws.cloudtrail.flattened.request_parameters.name", From 09d81861a34cd748e75f6eb4ce8d752f41ee5bd6 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 8 Nov 2024 17:25:00 -0500 Subject: [PATCH 5/6] adjusted order of investigation fields --- ...m_sendcommand_with_command_parameters.toml | 10 +++++----- ...se_evasion_cloudtrail_logging_deleted.toml | 15 ++++++++------- ...y_ec2_multi_region_describe_instances.toml | 6 +++--- ...overy_new_terms_sts_getcalleridentity.toml | 10 ++++++---- ...command_document_created_by_rare_user.toml | 10 +++++----- ...n_sns_email_subscription_by_rare_user.toml | 11 ++++++----- ..._s3_bucket_enumeration_or_brute_force.toml | 6 +++--- ..._group_configuration_change_detection.toml | 17 ++++++++--------- ...user_via_assumed_role_on_ec2_instance.toml | 12 ++++++------ ..._created_access_keys_for_another_user.toml | 15 +++++++-------- ...stratoraccess_policy_attached_to_user.toml | 17 ++++++++--------- ...tomer_managed_policy_attached_to_role.toml | 16 +++++++++------- ...escalation_role_assumption_by_service.toml | 16 +++++++++------- ...ge_escalation_role_assumption_by_user.toml | 17 +++++++++-------- ...attempts_to_use_denied_models_by_user.toml | 4 ++-- ...ation_exception_errors_by_single_user.toml | 5 +++-- ...e_iam_instance_request_to_iam_service.toml | 19 +++++++++---------- 17 files changed, 106 insertions(+), 100 deletions(-) diff --git a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml index e27ace70ab6..ee87869d33c 100644 --- a/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml +++ b/rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml @@ -90,21 +90,21 @@ and process.args: ( [rule.investigation_fields] field_names = [ "@timestamp", - "cloud.region", + "process.user.name", + "process.entry_leader.group.name", + "process.entry_leader.real_user.name", + "event.action", "event.type", "host.os.type", "host.os.kernel", "process.entry_leader.executable", - "process.entry_leader.group.name", - "process.entry_leader.real_user.name", "process.entry_leader.working_directory", "process.parent.executable", "process.executable", "process.hash.sha256", "process.parent.command_line", "process.command_line", - "process.args", - "process.user.name" + "process.args" ] [[rule.threat]] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 7c85dba4bcd..491774c610c 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -94,16 +94,17 @@ event.dataset:aws.cloudtrail [rule.investigation_fields] field_names = [ - "event.action", - "event.outcome", - "cloud.region", - "user_agent.original", + "@timestamp", "user.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", "source.address", - "aws.cloudtrail.request_parameters", + "user_agent.original", "aws.cloudtrail.flattened.request_parameters.name", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.user_identity.arn" + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters" ] [[rule.threat]] diff --git a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml index 04d8cf10774..ac33fffcfe4 100644 --- a/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml +++ b/rules/integrations/aws/discovery_ec2_multi_region_describe_instances.toml @@ -109,10 +109,10 @@ from logs-aws.cloudtrail-* [rule.investigation_fields] field_names = [ - "region_count", - "window_count", + "aws.cloudtrail.user_identity.arn", "target_time_window", - "aws.cloudtrail.user_identity.arn" + "region_count", + "window_count" ] [[rule.threat]] diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index 18ebb789ee2..ae1a5b0c42d 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -102,13 +102,15 @@ event.dataset: "aws.cloudtrail" [rule.investigation_fields] field_names = [ + "@timestamp", + "user.name", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.arn", + "user_agent.original", "event.action", "event.outcome", "cloud.region", - "user_agent.original", - "user.name", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.user_identity.arn" + "aws.cloudtrail.request_parameters" ] [[rule.threat]] diff --git a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml index e4121616727..1a1eea28f07 100644 --- a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml +++ b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml @@ -85,16 +85,16 @@ event.dataset: "aws.cloudtrail" [rule.investigation_fields] field_names = [ + "@timestamp", + "user.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", "event.action", "event.outcome", "cloud.region", - "related.user", - "user.name", - "user_agent.original", "aws.cloudtrail.request_parameters", "aws.cloudtrail.response_elements", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type" ] [[rule.threat]] diff --git a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml index b590a2402e0..e8e50faef62 100644 --- a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml +++ b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml @@ -83,17 +83,18 @@ event.dataset: "aws.cloudtrail" [rule.investigation_fields] field_names = [ + "@timestamp", + "user.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", "event.action", "event.outcome", "cloud.region", - "user_agent.original", - "user.name", - "aws.cloudtrail.request_parameters", "aws.cloudtrail.flattened.request_parameters.protocol", "aws.cloudtrail.flattened.request_parameters.topicArn", "aws.cloudtrail.flattened.response_elements.subscriptionArn", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.user_identity.arn" + "aws.cloudtrail.request_parameters" ] [[rule.threat]] diff --git a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml index 3bb60a51065..37d950ef7f6 100644 --- a/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml +++ b/rules/integrations/aws/impact_aws_s3_bucket_enumeration_or_brute_force.toml @@ -99,10 +99,10 @@ from logs-aws.cloudtrail* [rule.investigation_fields] field_names = [ - "failed_requests", - "tls.client.server_name", "source.address", - "cloud.account.id" + "tls.client.server_name", + "cloud.account.id", + "failed_requests" ] [[rule.threat]] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 4c088058516..c01a4fe6b96 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -103,18 +103,17 @@ event.dataset: "aws.cloudtrail" [rule.investigation_fields] field_names = [ "@timestamp", - "cloud.region", - "event.provider", + "user.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", + "aws.cloudtrail.flattened.request_parameters.instanceId", "event.action", "event.outcome", - "related.user", - "user_agent.original", - "user.name", + "cloud.region", + "event.provider", "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements", - "aws.cloudtrail.flattened.request_parameters.instanceId", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type" + "aws.cloudtrail.response_elements" ] diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml index f0df186138b..7795510d39a 100644 --- a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml @@ -98,16 +98,16 @@ event.dataset: "aws.cloudtrail" [rule.investigation_fields] field_names = [ + "@timestamp", + "user.name", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", "event.action", "event.outcome", "cloud.region", - "related.user", - "user_agent.original", - "user.name", "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type" + "aws.cloudtrail.response_elements" ] [[rule.threat]] diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index e852533e17a..fd311450cf3 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -123,18 +123,17 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index [rule.investigation_fields] field_names = [ "@timestamp", - "cloud.region", - "event.provider", - "event.action", - "event.outcome", "user.name", - "user.target.name", - "related.user", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", "user_agent.original", + "user.target.name", + "event.action", + "event.outcome", + "cloud.region", + "event.provider", "aws.cloudtrail.request_parameters", "aws.cloudtrail.response_elements", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type" ] diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 6e8f286032b..5ed2fcf0e07 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -121,17 +121,16 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index [rule.investigation_fields] field_names = [ "@timestamp", - "cloud.region", - "event.provider", - "event.action", - "event.outcome", - "related.user", - "user_agent.original", "user.name", - "policyName", + "aws.cloudtrail.user_identity.arn", + "user_agent.original", "target.userName", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.user_identity.arn" + "event.action", + "policyName", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters" ] diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index b87efe1a742..2372eb2d39b 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -99,16 +99,18 @@ event.dataset: "aws.cloudtrail" [rule.investigation_fields] field_names = [ - "event.action", - "event.outcome", - "cloud.region", - "user_agent.original", + "@timestamp", "user.name", - "aws.cloudtrail.request_parameters", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", "aws.cloudtrail.flattened.request_parameters.policyArn", "aws.cloudtrail.flattened.request_parameters.roleName", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type" + "event.action", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters" ] [[rule.threat]] diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml index b57d0f1ba27..c23ae37fbfb 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_service.toml @@ -105,17 +105,19 @@ event.dataset: "aws.cloudtrail" [rule.investigation_fields] field_names = [ + "@timestamp", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.resources.arn", + "aws.cloudtrail.resources.type", + "source.address", + "aws.cloudtrail.user_identity.invoked_by", + "aws.cloudtrail.flattened.request_parameters.roleArn", + "aws.cloudtrail.flattened.request_parameters.roleSessionName", "event.action", "event.outcome", "cloud.region", "aws.cloudtrail.request_parameters", - "aws.cloudtrail.flattened.request_parameters.roleArn", - "aws.cloudtrail.flattened.request_parameters.roleSessionName", - "aws.cloudtrail.response_elements", - "aws.cloudtrail.user_identity.type", - "aws.cloudtrail.user_identity.invoked_by", - "aws.cloudtrail.resources.arn", - "aws.cloudtrail.resources.type" + "aws.cloudtrail.response_elements" ] [[rule.threat]] diff --git a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml index 808059c8f7c..da41ca73b82 100644 --- a/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml +++ b/rules/integrations/aws/privilege_escalation_role_assumption_by_user.toml @@ -96,20 +96,21 @@ event.dataset: "aws.cloudtrail" [rule.investigation_fields] field_names = [ - "event.action", - "event.outcome", - "cloud.region", + "@timestamp", "user.name", "user_agent.original", "source.address", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.flattened.request_parameters.roleArn", - "aws.cloudtrail.flattened.request_parameters.roleSessionName", - "aws.cloudtrail.response_elements", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.resources.arn", - "aws.cloudtrail.resources.type" + "aws.cloudtrail.resources.type", + "aws.cloudtrail.flattened.request_parameters.roleArn", + "aws.cloudtrail.flattened.request_parameters.roleSessionName", + "event.action", + "event.outcome", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" ] [[rule.threat]] diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml index 51c7ef6fc18..d0658be9570 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml @@ -88,8 +88,8 @@ from logs-aws_bedrock.invocation-* [rule.investigation_fields] field_names = [ - "total_denials", "user.id", + "cloud.account.id", "gen_ai.request.model.id", - "cloud.account.id" + "total_denials" ] diff --git a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml index 25afaa37968..2e006fe164d 100644 --- a/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml +++ b/rules/integrations/aws_bedrock/aws_bedrock_multiple_validation_exception_errors_by_single_user.toml @@ -95,8 +95,9 @@ from logs-aws_bedrock.invocation-* [rule.investigation_fields] field_names = [ - "total_denials", "target_time_window", "user.id", - "cloud.account.id" + "cloud.account.id", + "total_denials" + ] diff --git a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml index f4aef34d932..e4a2ed6fd5e 100644 --- a/rules_building_block/persistence_iam_instance_request_to_iam_service.toml +++ b/rules_building_block/persistence_iam_instance_request_to_iam_service.toml @@ -67,20 +67,19 @@ any where event.dataset == "aws.cloudtrail" [rule.investigation_fields] field_names = [ "@timestamp", - "cloud.region", - "event.provider", - "event.action", - "event.outcome", - "aws.cloudtrail.request_parameters", - "aws.cloudtrail.response_elements", - "aws.cloudtrail.user_identity.arn", - "aws.cloudtrail.user_identity.type", - "related.user", "source.address", "user.name", "user.id", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.type", + "user_agent.original", "user.target.name", - "user_agent.original" + "event.action", + "event.outcome", + "cloud.region", + "event.provider", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" ] [[rule.threat]] From 836a81213764a83ce918267d64a372bdce198654 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 8 Nov 2024 17:30:42 -0500 Subject: [PATCH 6/6] adding source address --- .../aws/discovery_new_terms_sts_getcalleridentity.toml | 1 + .../execution_ssm_command_document_created_by_rare_user.toml | 1 + .../aws/exfiltration_sns_email_subscription_by_rare_user.toml | 1 + ...ence_iam_create_user_via_assumed_role_on_ec2_instance.toml | 1 + ...istence_iam_user_created_access_keys_for_another_user.toml | 3 ++- ...ation_iam_administratoraccess_policy_attached_to_user.toml | 4 +++- ...calation_iam_customer_managed_policy_attached_to_role.toml | 1 + 7 files changed, 10 insertions(+), 2 deletions(-) diff --git a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml index ae1a5b0c42d..c1e8b989bf9 100644 --- a/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml +++ b/rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml @@ -104,6 +104,7 @@ event.dataset: "aws.cloudtrail" field_names = [ "@timestamp", "user.name", + "source.address", "aws.cloudtrail.user_identity.type", "aws.cloudtrail.user_identity.arn", "user_agent.original", diff --git a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml index 1a1eea28f07..6062fe1ad86 100644 --- a/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml +++ b/rules/integrations/aws/execution_ssm_command_document_created_by_rare_user.toml @@ -87,6 +87,7 @@ event.dataset: "aws.cloudtrail" field_names = [ "@timestamp", "user.name", + "source.address", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "user_agent.original", diff --git a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml index e8e50faef62..256caac2f0b 100644 --- a/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml +++ b/rules/integrations/aws/exfiltration_sns_email_subscription_by_rare_user.toml @@ -85,6 +85,7 @@ event.dataset: "aws.cloudtrail" field_names = [ "@timestamp", "user.name", + "source.address", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "user_agent.original", diff --git a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml index 7795510d39a..787afc8f6ad 100644 --- a/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml +++ b/rules/integrations/aws/persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml @@ -100,6 +100,7 @@ event.dataset: "aws.cloudtrail" field_names = [ "@timestamp", "user.name", + "source.address", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "user_agent.original", diff --git a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml index fd311450cf3..6679751599d 100644 --- a/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml +++ b/rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml @@ -111,8 +111,8 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index event.action, event.outcome, user.name, + source.address, user.target.name, - related.user, user_agent.original, aws.cloudtrail.request_parameters, aws.cloudtrail.response_elements, @@ -124,6 +124,7 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index field_names = [ "@timestamp", "user.name", + "source.address", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "user_agent.original", diff --git a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 5ed2fcf0e07..113fc52efbc 100644 --- a/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -115,13 +115,15 @@ from logs-aws.cloudtrail-* metadata _id, _version, _index aws.cloudtrail.user_identity.arn, related.user, user_agent.original, - user.name + user.name, + source.address ''' [rule.investigation_fields] field_names = [ "@timestamp", "user.name", + "source.address", "aws.cloudtrail.user_identity.arn", "user_agent.original", "target.userName", diff --git a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml index 2372eb2d39b..0e20b0ca5e4 100644 --- a/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_customer_managed_policy_attached_to_role.toml @@ -101,6 +101,7 @@ event.dataset: "aws.cloudtrail" field_names = [ "@timestamp", "user.name", + "source.address", "aws.cloudtrail.user_identity.arn", "aws.cloudtrail.user_identity.type", "user_agent.original",