Merge branch 'develop' into nterl0k-t1114-sus-o365-email-actions

Author: patel-bhavin

baselines/baseline_of_open_s3_bucket_decommissioning.yml

@@ -0,0 +1,64 @@
+name: Baseline Of Open S3 Bucket Decommissioning
+id: 984e9022-b87b-499a-a260-8d0282c46ea2
+version: 1
+date: '2025-02-12'
+author: Jose Hernandez
+type: Baseline
+status: production
+description: |-
+  The following analytic identifies S3 buckets that were previously exposed to the public and have been subsequently deleted. It leverages AWS CloudTrail logs to track the lifecycle of potentially risky S3 bucket configurations. This activity is crucial for ensuring that public access to sensitive data is properly managed and decommissioned. By monitoring these events, organizations can ensure that exposed buckets are promptly deleted, reducing the risk of unauthorized access. Immediate investigation is recommended to confirm the proper decommissioning of these buckets and to ensure no sensitive data remains exposed. This baseline detection creates a lookup table of decommissioned buckets.csv and their associated events which can be used by detection searches to trigger alerts when decommissioned buckets are detected.
+
+  The  following detections searches leverage this baseline search and the lookup table.
+  * Detect DNS Query to Decommissioned S3 Bucket
+  * Detect Web Access to Decommissioned S3 Bucket
+search: '`cloudtrail` eventSource="s3.amazonaws.com"  (eventName=DeleteBucket OR eventName=PutBucketPolicy OR eventName=PutBucketWebsite)
+| spath input=_raw path=requestParameters.bucketName output=bucketName
+| spath input=_raw path=requestParameters.Host output=host
+| spath input=_raw path=requestParameters.bucketPolicy.Statement{} output=statements
+| spath input=statements output=principal path=Principal
+| spath input=statements output=effect path=Effect
+| spath input=statements output=action path=Action
+| stats values(eventName) as events, 
+        values(requestParameters.bucketPolicy) as policies, 
+        values(principal) as principals,
+        values(effect) as effects,
+        values(action) as actions,
+        min(_time) as firstEvent, 
+        max(_time) as lastEvent,
+        values(userIdentity.accountId) as accountIds,
+        values(userIdentity.arn) as userARNs,
+        values(awsRegion) as awsRegions,
+        values(host) as hosts
+    by bucketName
+| eval isPublicPolicy = if( (mvfind(principals, "\\*")>=0) AND (mvfind(effects, "Allow")>=0) AND (mvfind(actions, "s3:GetObject")>=0), 1, 0)
+| eval isWebsite = if(mvfind(events, "PutBucketWebsite")>=0, 1, 0)
+| eval is_open = if(isPublicPolicy==1 OR isWebsite==1, 1, 0)
+| where is_open==1 AND (mvfind(events, "DeleteBucket")>=0)
+| eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy")
+| eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting")
+| table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions
+| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`'
+how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public.
+known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured.
+references:
+- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
+- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
+- https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
+tags:
+  analytic_story:
+  - AWS S3 Bucket Security Monitoring
+  - Suspicious AWS S3 Activities
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  detections:
+  - Detect DNS Query to Decommissioned S3 Bucket
+  - Detect Web Access to Decommissioned S3 Bucket
+  security_domain: audit
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -30d@d
+    latest_time: -1d@d
+    schedule_window: auto