updating yaml to pass build and adding lookup, minor fixes

patel-bhavin · patel-bhavin · commit 0ec052b8f912 · 2025-02-13T15:36:01.000-08:00
diff --git a/baselines/baseline_of_open_s3_bucket_decommissioning.yml b/baselines/baseline_of_open_s3_bucket_decommissioning.yml
@@ -1,15 +1,16 @@
-data_source: []
-mitre_attack_ids: ''
-security_domain: audit
 name: Baseline Of Open S3 Bucket Decommissioning
 id: 984e9022-b87b-499a-a260-8d0282c46ea2
 version: 1
 date: '2025-02-12'
 author: Jose Hernandez
 type: Baseline
 status: production
-description: This baseline search identifies S3 buckets that were previously exposed to the public (either through bucket policies or website hosting) and have been subsequently deleted. This helps track the lifecycle of potentially risky S3 bucket configurations and their proper decommissioning.
-kind: cloud
+description: |-
+  The following analytic identifies S3 buckets that were previously exposed to the public and have been subsequently deleted. It leverages AWS CloudTrail logs to track the lifecycle of potentially risky S3 bucket configurations. This activity is crucial for ensuring that public access to sensitive data is properly managed and decommissioned. By monitoring these events, organizations can ensure that exposed buckets are promptly deleted, reducing the risk of unauthorized access. Immediate investigation is recommended to confirm the proper decommissioning of these buckets and to ensure no sensitive data remains exposed. This baseline detection creates a lookup table of decommissioned buckets.csv and their associated events which can be used by detection searches to trigger alerts when decommissioned buckets are detected.
+
+  The  following detections searches leverage this baseline search and the lookup table.
+  * Detect DNS Query to Decommissioned S3 Bucket
+  * Detect Web Access to Decommissioned S3 Bucket
 search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR eventName=PutBucketPolicy OR eventName=PutBucketWebsite)
 | spath input=_raw path=requestParameters.bucketName output=bucketName
 | spath input=_raw path=requestParameters.Host output=host
@@ -36,7 +37,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR
 | eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
 | eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
 | table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
-| outputlookup append=true decommissioned_buckets.csv | `baseline_of_open_s3_bucket_decommissioning_filter`'
+| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
 how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup file named decommissioned_buckets.csv which tracks the history of deleted buckets that were previously exposed to the public.
 known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
 references:
@@ -47,7 +48,6 @@ tags:
   analytic_story:
   - AWS S3 Bucket Security Monitoring
   - Suspicious AWS S3 Activities
-  message: An S3 bucket that was previously configured with public access has been deleted
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
diff --git a/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml b/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml
@@ -4,7 +4,7 @@ version: 1
 date: '2025-02-12'
 author: Jose Hernandez, Splunk
 status: experimental
-type: anomaly
+type: Anomaly
 description: This detection identifies DNS queries to domains that match previously decommissioned S3 buckets. This activity is significant because attackers may attempt to recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
 data_source:
 - DNS logs
@@ -13,7 +13,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
 | `security_content_ctime(firstTime)` 
 | `security_content_ctime(lastTime)` 
 | eval bucket_domain = lower(query) 
-| lookup decommissioned_buckets.csv bucketName as bucket_domain OUTPUT bucketName as match 
+| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
 | where isnotnull(match) 
 | `detect_dns_query_to_decommissioned_s3_bucket_filter`'
 how_to_implement: To successfully implement this detection, you need to be ingesting DNS query logs and have them mapped to the Network_Resolution data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets.csv lookup file.
diff --git a/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml b/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml
@@ -4,7 +4,7 @@ version: 1
 date: '2025-02-12'
 author: Jose Hernandez, Splunk
 status: experimental
-type: anomaly
+type: Anomaly
 description: This detection identifies web requests to domains that match previously decommissioned S3 buckets through web proxy logs. This activity is significant because attackers may attempt to access or recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
 data_source:
 - Web proxy logs
@@ -13,7 +13,7 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
 | `security_content_ctime(firstTime)` 
 | `security_content_ctime(lastTime)` 
 | eval bucket_domain = lower(url_domain) 
-| lookup decommissioned_buckets.csv bucketName as bucket_domain OUTPUT bucketName as match 
+| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match 
 | where isnotnull(match) 
 | `detect_web_access_to_decommissioned_s3_bucket_filter`'
 how_to_implement: To successfully implement this detection, you need to be ingesting web proxy logs and have them mapped to the Web data model. Additionally, ensure that the baseline search "Baseline Of Open S3 Bucket Decommissioning" is running and populating the decommissioned_buckets.csv lookup file.
@@ -43,7 +43,7 @@ tags:
   analytic_story:
   - AWS S3 Bucket Security Monitoring
   - Data Destruction
-  asset_type: Web
+  asset_type: S3 Bucket
   mitre_attack_id:
   - T1485
   product:
diff --git a/lookups/decommissioned_buckets.csv b/lookups/decommissioned_buckets.csv
@@ -0,0 +1 @@
+bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
diff --git a/lookups/decommissioned_buckets.yml b/lookups/decommissioned_buckets.yml
@@ -0,0 +1,9 @@
+name: decommissioned_buckets
+date: 2025-02-14
+version: 1
+id: b3a95eff-87cf-40f3-b6e0-5b1a11eed68f
+author: Bhavin Patel
+lookup_type: csv
+default_match: false
+description: A lookup table of decommissioned S3 buckets created by baseline - Baseline of Open S3 Bucket Decommissioning. This lookup table is used by detections searches to trigger alerts when decommissioned buckets are detected.
+min_matches: 1

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions`