Removal of fields from new detections

Author: ljstella

detections/cloud/asl_aws_create_access_key.yml

@@ -18,23 +18,13 @@ tags:
   analytic_story:
   - AWS IAM Privilege Escalation
   asset_type: AWS Account
-  confidence: 90
-  impact: 70
   mitre_attack_id:
   - T1136.003
   - T1136
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - actor.user.uid
-  - actor.user.account.uid
-  - http_request.user_agent
-  - src_endpoint.ip
-  - src_endpoint.domain
-  - cloud.region
   security_domain: network
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml

@@ -34,29 +34,13 @@ tags:
   analytic_story:
   - AWS IAM Privilege Escalation
   asset_type: AWS Account
-  confidence: 70
-  impact: 70
   mitre_attack_id:
   - T1078.004
   - T1078
-  observable:
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - actor.user.account.uid
-  - api.request.data
-  - actor.user.uid
-  - http_request.user_agent
-  - src_endpoint.ip
-  - src_endpoint.domain
-  - cloud.region
   security_domain: network
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_credential_access_getpassworddata.yml

@@ -28,42 +28,23 @@ rba:
   risk_objects:
   - field: user
     type: user
+    score: 49
   threat_objects:
   - field: src_ip
     type: ip_address
 tags:
   analytic_story:
   - AWS Identity and Access Management Account Takeover
   asset_type: AWS Account
-  confidence: 70
-  impact: 70
   mitre_attack_id:
   - T1586
   - T1586.003
   - T1110
   - T1110.001
-  observable:
-  - name: src_ip
-    type: IP Address
-    role:
-    - Attacker
-  - name: user
-    type: User
-    role:
-    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - actor.user.uid
-  - actor.user.account.uid
-  - http_request.user_agent
-  - src_endpoint.ip
-  - src_endpoint.domain
-  - cloud.region
-  risk_score: 49
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_credential_access_rds_password_reset.yml

@@ -35,8 +35,6 @@ tags:
   analytic_story:
   - AWS Identity and Access Management Account Takeover
   asset_type: AWS Account
-  confidence: 70
-  impact: 70
   mitre_attack_id:
   - T1586
   - T1586.003
@@ -45,15 +43,6 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - api.request.data
-  - actor.user.uid
-  - actor.user.account.uid
-  - http_request.user_agent
-  - src_endpoint.ip
-  - src_endpoint.domain
-  - cloud.region
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml

@@ -13,21 +13,10 @@ how_to_implement: The detection is based on Amazon Security Lake events from Ama
 known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names.
 references:
 - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/
-rba:
-  message: User $user$ has created a new rule to on an S3 bucket $bucketName$ with short expiration days
-  risk_objects:
-  - field: user
-    type: user
-    score: 20
-  threat_objects:
-  - field: src_ip
-    type: ip_address
 tags:
   analytic_story:
   - AWS Defense Evasion
   asset_type: AWS Account
-  confidence: 40
-  impact: 50
   mitre_attack_id:
   - T1562.008
   - T1562
@@ -37,15 +26,6 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - api.request.data
-  - actor.user.uid
-  - actor.user.account.uid
-  - http_request.user_agent
-  - src_endpoint.ip
-  - src_endpoint.domain
-  - cloud.region
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml

@@ -48,24 +48,12 @@ tags:
   analytic_story:
   - Ransomware Cloud
   asset_type: AWS Account
-  confidence: 50
-  impact: 50
-  message: AWS account is potentially compromised and user $user$ is trying to compromise other accounts.
   mitre_attack_id:
   - T1486
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - actor.user.uid
-  - actor.user.account.uid
-  - api.request.data
-  - http_request.user_agent
-  - src_endpoint.ip
-  - src_endpoint.domain
-  - cloud.region
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_disable_bucket_versioning.yml

@@ -44,23 +44,12 @@ tags:
   - Suspicious AWS S3 Activities
   - Data Exfiltration
   asset_type: AWS Account
-  confidence: 80
-  impact: 80
   mitre_attack_id:
   - T1490
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - actor.user.uid
-  - actor.user.account.uid
-  - api.request.data
-  - http_request.user_agent
-  - src_endpoint.ip
-  - src_endpoint.domain
-  - cloud.region
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml

@@ -44,23 +44,12 @@ tags:
   - Suspicious Cloud Instance Activities
   - Data Exfiltration
   asset_type: EC2 Snapshot
-  confidence: 80
-  impact: 60
   mitre_attack_id:
   - T1537
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - actor.user.uid
-  - actor.user.account.uid
-  - api.request.data
-  - http_request.user_agent
-  - src_endpoint.ip
-  - src_endpoint.domain
-  - cloud.region
   security_domain: threat
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml

@@ -41,19 +41,12 @@ tags:
   analytic_story:
   - Suspicious Cloud User Activities
   asset_type: AWS Account
-  confidence: 50
-  impact: 20
   mitre_attack_id:
   - T1580
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - api.operation
-  - actor.user.uid
-  - src_endpoint.ip
-  - cloud.region
   security_domain: access
 tests:
 - name: True Positive Test

detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml

@@ -42,21 +42,13 @@ tags:
   analytic_story:
   - AWS IAM Privilege Escalation
   asset_type: AWS Account
-  confidence: 70
-  impact: 40
   mitre_attack_id:
   - T1580
   - T1110
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  required_fields:
-  - _time
-  - api.operation
-  - actor.user.uid
-  - src_endpoint.ip
-  - cloud.region
   security_domain: access
 tests:
 - name: True Positive Test