Branch was auto-updated.

Author: patel-bhavin

detections/cloud/asl_aws_create_access_key.yml

@@ -20,19 +20,9 @@ tags:
   asset_type: AWS Account
   confidence: 90
   impact: 70
-  message: User $user$ is attempting to create access keys
   mitre_attack_id:
   - T1136.003
   - T1136
-  observable:
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -45,7 +35,6 @@ tags:
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
-  risk_score: 63
   security_domain: network
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml

@@ -23,13 +23,19 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: User $user$ created a policy version that allows them to access any resource in their account
+  risk_objects:
+  - field: user
+    type: user
+    score: 49
+  threat_objects: []
 tags:
   analytic_story:
   - AWS IAM Privilege Escalation
   asset_type: AWS Account
   confidence: 70
   impact: 70
-  message: User $user$ created a policy version that allows them to access any resource in their account.
   mitre_attack_id:
   - T1078.004
   - T1078
@@ -51,7 +57,6 @@ tags:
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
-  risk_score: 49
   security_domain: network
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_credential_access_getpassworddata.yml

@@ -23,13 +23,20 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: User $user$ is seen to make `GetPasswordData` API calls
+  risk_objects:
+  - field: user
+    type: user
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - AWS Identity and Access Management Account Takeover
   asset_type: AWS Account
   confidence: 70
   impact: 70
-  message: User $user$ is seen to make `GetPasswordData` API calls 
   mitre_attack_id:
   - T1586
   - T1586.003

detections/cloud/asl_aws_credential_access_rds_password_reset.yml

@@ -22,26 +22,25 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: User $user$ is seen to reset the password for database
+  risk_objects:
+  - field: user
+    type: user
+    score: 49
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - AWS Identity and Access Management Account Takeover
   asset_type: AWS Account
   confidence: 70
   impact: 70
-  message: User $user$ is seen to reset the password for database 
   mitre_attack_id:
   - T1586
   - T1586.003
   - T1110
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -55,7 +54,6 @@ tags:
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
-  risk_score: 49
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml

@@ -13,27 +13,26 @@ how_to_implement: The detection is based on Amazon Security Lake events from Ama
 known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.
 references:
 - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
+rba:
+  message: User $user$ has created a new rule to on an S3 bucket $bucketName$ with short expiration days
+  risk_objects:
+  - field: user
+    type: user
+    score: 20
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - AWS Defense Evasion
   asset_type: AWS Account
   confidence: 40
   impact: 50
-  message: User $user$ has created a new rule to on an S3 bucket $bucketName$ with short expiration days
   mitre_attack_id:
   - T1562.008
   - T1562
   - T1485.001
   - T1485
-  observable:
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
-  - name: user
-    type: User
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -47,7 +46,6 @@ tags:
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
-  risk_score: 20
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml

@@ -37,6 +37,13 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts
+  risk_objects:
+  - field: user
+    type: user
+    score: 25
+  threat_objects: []
 tags:
   analytic_story:
   - Ransomware Cloud
@@ -46,11 +53,6 @@ tags:
   message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts.
   mitre_attack_id:
   - T1486
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -64,7 +66,6 @@ tags:
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
-  risk_score: 25
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_disable_bucket_versioning.yml

@@ -30,25 +30,24 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src_ip$
+  risk_objects:
+  - field: user
+    type: user
+    score: 64
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - Suspicious AWS S3 Activities
   - Data Exfiltration
   asset_type: AWS Account
   confidence: 80
   impact: 80
-  message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src_ip$
   mitre_attack_id:
   - T1490
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -62,7 +61,6 @@ tags:
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
-  risk_score: 64
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml

@@ -30,25 +30,24 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: AWS EC2 snapshot from user $user$ is shared publicly by user $user$
+  risk_objects:
+  - field: user
+    type: user
+    score: 48
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - Suspicious Cloud Instance Activities
   - Data Exfiltration
   asset_type: EC2 Snapshot
   confidence: 80
   impact: 60
-  message: AWS EC2 snapshot from user $user$ is shared publicly by user $user$
   mitre_attack_id:
   - T1537
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -62,7 +61,6 @@ tags:
   - src_endpoint.ip
   - src_endpoint.domain
   - cloud.region
-  risk_score: 48
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml

@@ -28,24 +28,23 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.
+  risk_objects:
+  - field: user
+    type: user
+    score: 10
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - Suspicious Cloud User Activities
   asset_type: AWS Account
   confidence: 50
   impact: 20
-  message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied.
   mitre_attack_id:
   - T1580
-  observable:
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -55,7 +54,6 @@ tags:
   - actor.user.uid
   - src_endpoint.ip
   - cloud.region
-  risk_score: 10
   security_domain: access
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml

@@ -29,25 +29,24 @@ drilldown_searches:
   search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
+rba:
+  message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name.
+  risk_objects:
+  - field: user
+    type: user
+    score: 28
+  threat_objects:
+  - field: src_ip
+    type: ip_address
 tags:
   analytic_story:
   - AWS IAM Privilege Escalation
   asset_type: AWS Account
   confidence: 70
   impact: 40
-  message: User $user$ has caused multiple failures with errorCode AccessDenied, which potentially means adversary is attempting to identify a role name.
   mitre_attack_id:
   - T1580
   - T1110
-  observable:
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -58,7 +57,6 @@ tags:
   - actor.user.uid
   - src_endpoint.ip
   - cloud.region
-  risk_score: 28
   security_domain: access
 tests:
 - name: True Positive Test