diff --git a/.gitignore b/.gitignore index c441750030..2a6e590e07 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ external_repos/ # IDE .vscode/ +.cursor/ # usual mac files .DS_Store diff --git a/data_sources/asl_aws_cloudtrail.yml b/data_sources/asl_aws_cloudtrail.yml index 05913a6ff4..edd56c9a67 100644 --- a/data_sources/asl_aws_cloudtrail.yml +++ b/data_sources/asl_aws_cloudtrail.yml @@ -11,3 +11,13 @@ supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 version: 7.9.1 +output_fields: +- action +- dest +- user +- user_agent +- status +- src +- vendor_account +- vendor_region +- vendor_product diff --git a/data_sources/aws_cloudtrail.yml b/data_sources/aws_cloudtrail.yml index e2734eacfe..560f4ec819 100644 --- a/data_sources/aws_cloudtrail.yml +++ b/data_sources/aws_cloudtrail.yml @@ -11,3 +11,12 @@ supported_TA: - name: Splunk Add-on for AWS url: https://splunkbase.splunk.com/app/1876 version: 7.9.1 +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product diff --git a/data_sources/aws_cloudtrail_assumerolewithsaml.yml b/data_sources/aws_cloudtrail_assumerolewithsaml.yml index 6f81a304c6..909af5d7de 100644 --- a/data_sources/aws_cloudtrail_assumerolewithsaml.yml +++ b/data_sources/aws_cloudtrail_assumerolewithsaml.yml @@ -124,3 +124,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "SAMLUser", "pri "type": "AWS::IAM::SAMLProvider", "ARN": "arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product diff --git a/data_sources/aws_cloudtrail_consolelogin.yml b/data_sources/aws_cloudtrail_consolelogin.yml index c1ecfc85fd..7078b7a26c 100644 --- a/data_sources/aws_cloudtrail_consolelogin.yml +++ b/data_sources/aws_cloudtrail_consolelogin.yml @@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "acco "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_copyobject.yml b/data_sources/aws_cloudtrail_copyobject.yml index e3c593b810..8e585a5e09 100644 --- a/data_sources/aws_cloudtrail_copyobject.yml +++ b/data_sources/aws_cloudtrail_copyobject.yml @@ -117,3 +117,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin {"type": "AWS::S3::Object", "ARN": "arn:aws:s3:::patricktestbucketencrypt/kms_aws_events.json"}], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111", "eventCategory": "Data"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createaccesskey.yml b/data_sources/aws_cloudtrail_createaccesskey.yml index d7a1719024..8295e3b181 100644 --- a/data_sources/aws_cloudtrail_createaccesskey.yml +++ b/data_sources/aws_cloudtrail_createaccesskey.yml @@ -101,3 +101,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventID": "5772e8d5-cccc-470d-81ef-acacfe85a804", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "121521347698"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createkey.yml b/data_sources/aws_cloudtrail_createkey.yml index 4bb43d44ad..ca084d10a3 100644 --- a/data_sources/aws_cloudtrail_createkey.yml +++ b/data_sources/aws_cloudtrail_createkey.yml @@ -148,3 +148,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "111111111111", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createloginprofile.yml b/data_sources/aws_cloudtrail_createloginprofile.yml index 9969173ed5..c6a66e3f32 100644 --- a/data_sources/aws_cloudtrail_createloginprofile.yml +++ b/data_sources/aws_cloudtrail_createloginprofile.yml @@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventID": "ffb76906-6dd1-4219-adfe-e26b92036a1e", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createnetworkaclentry.yml b/data_sources/aws_cloudtrail_createnetworkaclentry.yml index a2f6ad9a2a..832dcc56b7 100644 --- a/data_sources/aws_cloudtrail_createnetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_createnetworkaclentry.yml @@ -119,3 +119,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "_return": true}, "requestID": "d29c9c32-3a72-48d3-b612-6ba795e9ec64", "eventID": "6d1ce00e-4099-463c-8a4d-2af2fb2178ba", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createpolicyversion.yml b/data_sources/aws_cloudtrail_createpolicyversion.yml index 755fe9f0b1..aecc7809b4 100644 --- a/data_sources/aws_cloudtrail_createpolicyversion.yml +++ b/data_sources/aws_cloudtrail_createpolicyversion.yml @@ -104,3 +104,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventID": "33149175-90fd-4cff-a43b-408e4f848c1c", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createsnapshot.yml b/data_sources/aws_cloudtrail_createsnapshot.yml index 600b0023f9..b9a3c9f135 100644 --- a/data_sources/aws_cloudtrail_createsnapshot.yml +++ b/data_sources/aws_cloudtrail_createsnapshot.yml @@ -116,3 +116,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createtask.yml b/data_sources/aws_cloudtrail_createtask.yml index 669e657594..e7fee0117d 100644 --- a/data_sources/aws_cloudtrail_createtask.yml +++ b/data_sources/aws_cloudtrail_createtask.yml @@ -119,3 +119,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "datasync.us-west-2.amazonaws.com"}, "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml index 2161893152..aac3d7e54e 100644 --- a/data_sources/aws_cloudtrail_createvirtualmfadevice.yml +++ b/data_sources/aws_cloudtrail_createvirtualmfadevice.yml @@ -97,4 +97,13 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::1111111111111111:mfa/strt_mfa_2"}}, "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": - "1111111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' + "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product diff --git a/data_sources/aws_cloudtrail_deactivatemfadevice.yml b/data_sources/aws_cloudtrail_deactivatemfadevice.yml index 5f035b6840..f75ae55128 100644 --- a/data_sources/aws_cloudtrail_deactivatemfadevice.yml +++ b/data_sources/aws_cloudtrail_deactivatemfadevice.yml @@ -98,3 +98,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip null, "requestID": "d27cfb15-34b4-4c16-82bc-a55d15b4e47d", "eventID": "bfe9fd91-0b4d-470a-9c03-77839151806d", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml index 71542b720c..adac6bc3c5 100644 --- a/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_deleteaccountpasswordpolicy.yml @@ -98,3 +98,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip "requestID": "e3616938-1aac-4abd-9ea3-3b0367b85082", "eventID": "bbd8cb02-22ba-4d1b-b23d-b82975463376", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletealarms.yml b/data_sources/aws_cloudtrail_deletealarms.yml index 1277dc4fd3..d3f4838723 100644 --- a/data_sources/aws_cloudtrail_deletealarms.yml +++ b/data_sources/aws_cloudtrail_deletealarms.yml @@ -139,3 +139,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "bcfccd92-5bf1-4de1-9cfd-87fdeb70e452", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletedetector.yml b/data_sources/aws_cloudtrail_deletedetector.yml index ca2052001a..e9f71c39dd 100644 --- a/data_sources/aws_cloudtrail_deletedetector.yml +++ b/data_sources/aws_cloudtrail_deletedetector.yml @@ -96,3 +96,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "requestID": "1e832076-d7a8-432b-b0df-54ba62f6b62c", "eventID": "c1367a2f-8910-4e64-9256-a854d2e9f37d", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletegroup.yml b/data_sources/aws_cloudtrail_deletegroup.yml index fef70de601..fb6fcd293c 100644 --- a/data_sources/aws_cloudtrail_deletegroup.yml +++ b/data_sources/aws_cloudtrail_deletegroup.yml @@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin null, "requestID": "15684d3b-a8c5-4334-a996-16619e901c17", "eventID": "ab65dca3-3d28-41f4-9f99-443606cc49fe", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "121522247101"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deleteipset.yml b/data_sources/aws_cloudtrail_deleteipset.yml index 5b4fa662e4..5dfa194a17 100644 --- a/data_sources/aws_cloudtrail_deleteipset.yml +++ b/data_sources/aws_cloudtrail_deleteipset.yml @@ -97,3 +97,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "requestID": "70d36916-4ce7-4b6e-9226-9da47d58d554", "eventID": "884dc529-d98f-4529-bfa1-8cdd6c06d02f", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deleteloggroup.yml b/data_sources/aws_cloudtrail_deleteloggroup.yml index 8acfb651df..b26cfaec87 100644 --- a/data_sources/aws_cloudtrail_deleteloggroup.yml +++ b/data_sources/aws_cloudtrail_deleteloggroup.yml @@ -98,3 +98,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "apiVersion": "20140328", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletelogstream.yml b/data_sources/aws_cloudtrail_deletelogstream.yml index de55c5ea81..7fc4b58fb7 100644 --- a/data_sources/aws_cloudtrail_deletelogstream.yml +++ b/data_sources/aws_cloudtrail_deletelogstream.yml @@ -99,3 +99,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "apiVersion": "20140328", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "logs.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml index 94dea0f434..d126f8eec4 100644 --- a/data_sources/aws_cloudtrail_deletenetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_deletenetworkaclentry.yml @@ -108,3 +108,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "_return": true}, "requestID": "607474bb-836b-46be-be4a-351ebbef67d6", "eventID": "b9e05770-e9b0-4ba1-91e8-6537097e06e7", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletepolicy.yml b/data_sources/aws_cloudtrail_deletepolicy.yml index 7c8c181855..c98ed8eef4 100644 --- a/data_sources/aws_cloudtrail_deletepolicy.yml +++ b/data_sources/aws_cloudtrail_deletepolicy.yml @@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "responseElements": null, "requestID": "90cbe52f-e744-4bba-9f5c-1843c9ca1855", "eventID": "abd071bf-0a38-4fab-af4a-5eee55f0935e", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "151521547504"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deleterule.yml b/data_sources/aws_cloudtrail_deleterule.yml index e4061c8a3f..3fd4966201 100644 --- a/data_sources/aws_cloudtrail_deleterule.yml +++ b/data_sources/aws_cloudtrail_deleterule.yml @@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletesnapshot.yml b/data_sources/aws_cloudtrail_deletesnapshot.yml index 83a15e8c9d..ccba4f7ad5 100644 --- a/data_sources/aws_cloudtrail_deletesnapshot.yml +++ b/data_sources/aws_cloudtrail_deletesnapshot.yml @@ -143,3 +143,12 @@ example_log: '{"eventVersion": "1.09", "userIdentity": {"type": "AssumedRole", " "56f61d71-6620-4958-8dbf-03410913f1cc", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "11111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletetrail.yml b/data_sources/aws_cloudtrail_deletetrail.yml index da13b0269c..50b9c6c832 100644 --- a/data_sources/aws_cloudtrail_deletetrail.yml +++ b/data_sources/aws_cloudtrail_deletetrail.yml @@ -96,3 +96,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml index 21859dada9..35d80d2cf2 100644 --- a/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml +++ b/data_sources/aws_cloudtrail_deletevirtualmfadevice.yml @@ -98,3 +98,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip "01f0258f-b83f-4c0f-8fd3-380473840db8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_deletewebacl.yml b/data_sources/aws_cloudtrail_deletewebacl.yml index 464634f0ad..ab9fadfa4f 100644 --- a/data_sources/aws_cloudtrail_deletewebacl.yml +++ b/data_sources/aws_cloudtrail_deletewebacl.yml @@ -100,3 +100,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "apiVersion": "2015-08-24", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "waf.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_describeeventaggregates.yml b/data_sources/aws_cloudtrail_describeeventaggregates.yml index c4849b1233..bb05e04cf1 100644 --- a/data_sources/aws_cloudtrail_describeeventaggregates.yml +++ b/data_sources/aws_cloudtrail_describeeventaggregates.yml @@ -95,3 +95,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip "eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "1111111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_describeimagescanfindings.yml b/data_sources/aws_cloudtrail_describeimagescanfindings.yml index 8b3f6fd0aa..25383e9108 100644 --- a/data_sources/aws_cloudtrail_describeimagescanfindings.yml +++ b/data_sources/aws_cloudtrail_describeimagescanfindings.yml @@ -893,3 +893,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "23c19e2d-c48b-4265-b4eb-853e7b325780", "eventID": "6c94a9b2-36dc-43f8-a6dd-4ec839ded8af", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml index 3315cc9143..8433aa0149 100644 --- a/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_getaccountpasswordpolicy.yml @@ -97,3 +97,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "iam.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_getobject.yml b/data_sources/aws_cloudtrail_getobject.yml index 6ec2284157..b6c55f6757 100644 --- a/data_sources/aws_cloudtrail_getobject.yml +++ b/data_sources/aws_cloudtrail_getobject.yml @@ -111,3 +111,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "111111111111", "eventCategory": "Data", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "security-content.s3.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_getpassworddata.yml b/data_sources/aws_cloudtrail_getpassworddata.yml index 20f51f7003..f7f9adc714 100644 --- a/data_sources/aws_cloudtrail_getpassworddata.yml +++ b/data_sources/aws_cloudtrail_getpassworddata.yml @@ -113,3 +113,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_jobcreated.yml b/data_sources/aws_cloudtrail_jobcreated.yml index 18c2c3b2c9..ca1acee232 100644 --- a/data_sources/aws_cloudtrail_jobcreated.yml +++ b/data_sources/aws_cloudtrail_jobcreated.yml @@ -82,3 +82,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"accountId": "1111111111 "jobArn": "arn:aws:s3:us-west-2:111111111111:job/bb54efd8-937d-4f0c-967d-aa8443998dac", "status": "New", "jobEventId": "4e70d2f1053c07a79d9be9a14e486020", "failureCodes": [], "statusChangeReason": []}, "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_modifydbinstance.yml b/data_sources/aws_cloudtrail_modifydbinstance.yml index 3c1769680a..c9d2597bf2 100644 --- a/data_sources/aws_cloudtrail_modifydbinstance.yml +++ b/data_sources/aws_cloudtrail_modifydbinstance.yml @@ -191,3 +191,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "eventID": "46351ca1-760e-4eef-b3ff-19723e13fbf8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_modifyimageattribute.yml b/data_sources/aws_cloudtrail_modifyimageattribute.yml index 836fee56bc..4b550d9c9a 100644 --- a/data_sources/aws_cloudtrail_modifyimageattribute.yml +++ b/data_sources/aws_cloudtrail_modifyimageattribute.yml @@ -106,3 +106,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "eventID": "957e1b12-ea17-4006-aefd-20677ace72b8", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml index 5c006d97a8..2a1711a395 100644 --- a/data_sources/aws_cloudtrail_modifysnapshotattribute.yml +++ b/data_sources/aws_cloudtrail_modifysnapshotattribute.yml @@ -99,3 +99,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putbucketacl.yml b/data_sources/aws_cloudtrail_putbucketacl.yml index d5009bf3d2..8607f79db3 100644 --- a/data_sources/aws_cloudtrail_putbucketacl.yml +++ b/data_sources/aws_cloudtrail_putbucketacl.yml @@ -114,3 +114,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "resources": [{"accountId": "111111111111", "type": "AWS::S3::Bucket", "ARN": "arn:aws:s3:::patricktestbucket19"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putbucketlifecycle.yml b/data_sources/aws_cloudtrail_putbucketlifecycle.yml index 060a4d5b9a..8fb1f0ea5d 100644 --- a/data_sources/aws_cloudtrail_putbucketlifecycle.yml +++ b/data_sources/aws_cloudtrail_putbucketlifecycle.yml @@ -118,3 +118,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "my-cloudtrail-bucket-alfsujjpnbpguqrh.s3.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putbucketreplication.yml b/data_sources/aws_cloudtrail_putbucketreplication.yml index 9c72d4c291..d089c50bc7 100644 --- a/data_sources/aws_cloudtrail_putbucketreplication.yml +++ b/data_sources/aws_cloudtrail_putbucketreplication.yml @@ -139,3 +139,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " true, "recipientAccountId": "111111111111", "vpcEndpointId": "vpce-a0d039c9", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putbucketversioning.yml b/data_sources/aws_cloudtrail_putbucketversioning.yml index ebdfefcc92..f7d9ea6c70 100644 --- a/data_sources/aws_cloudtrail_putbucketversioning.yml +++ b/data_sources/aws_cloudtrail_putbucketversioning.yml @@ -127,3 +127,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " true, "recipientAccountId": "111111111111", "vpcEndpointId": "vpce-a0d039c9", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putimage.yml b/data_sources/aws_cloudtrail_putimage.yml index 2f1625ef3e..00942041d0 100644 --- a/data_sources/aws_cloudtrail_putimage.yml +++ b/data_sources/aws_cloudtrail_putimage.yml @@ -149,3 +149,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "readOnly": false, "resources": [{"accountId": "111111111111", "ARN": "arn:aws:ecr:eu-central-1:1111111111111:repository/devsecops/cat_dog_server"}], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_putkeypolicy.yml b/data_sources/aws_cloudtrail_putkeypolicy.yml index fb9b0a64d3..d2e74b6a55 100644 --- a/data_sources/aws_cloudtrail_putkeypolicy.yml +++ b/data_sources/aws_cloudtrail_putkeypolicy.yml @@ -130,3 +130,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "ARN": "arn:aws:kms:us-west-2:111111111111:key/f2a82583-a7d3-4c92-8787-fe2baab1cee1"}], "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml index c3dfb3942e..df21b230e8 100644 --- a/data_sources/aws_cloudtrail_replacenetworkaclentry.yml +++ b/data_sources/aws_cloudtrail_replacenetworkaclentry.yml @@ -116,3 +116,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "_return": true}, "requestID": "97b40da9-9291-4a92-8e9e-892b6887ffc9", "eventID": "46fe04b8-d007-4933-8bb8-c8b65c1121fa", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml index 26c0214146..0e1b6c9c57 100644 --- a/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml +++ b/data_sources/aws_cloudtrail_setdefaultpolicyversion.yml @@ -97,3 +97,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "eventID": "742f6e55-4bc7-49e2-965f-56ffbc46a980", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_stoplogging.yml b/data_sources/aws_cloudtrail_stoplogging.yml index 0f29b4bc23..db0ffc8259 100644 --- a/data_sources/aws_cloudtrail_stoplogging.yml +++ b/data_sources/aws_cloudtrail_stoplogging.yml @@ -93,3 +93,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml index e378ea1ed5..15abc1be57 100644 --- a/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml +++ b/data_sources/aws_cloudtrail_updateaccountpasswordpolicy.yml @@ -105,3 +105,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip null, "requestID": "7685efa9-5c56-451a-bd25-3db520108589", "eventID": "ccc1d5c2-dd72-4798-8023-ed5a4205f2d5", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_updateloginprofile.yml b/data_sources/aws_cloudtrail_updateloginprofile.yml index f7731254c3..eda86cdbd3 100644 --- a/data_sources/aws_cloudtrail_updateloginprofile.yml +++ b/data_sources/aws_cloudtrail_updateloginprofile.yml @@ -95,3 +95,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "08f38478-1749-4fb5-b07c-469d3448777a", "eventID": "033580e7-bbba-4b70-be63-7eeddb04b842", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_updatesamlprovider.yml b/data_sources/aws_cloudtrail_updatesamlprovider.yml index faa465f737..d2b4294c10 100644 --- a/data_sources/aws_cloudtrail_updatesamlprovider.yml +++ b/data_sources/aws_cloudtrail_updatesamlprovider.yml @@ -185,3 +185,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", " "requestID": "83d621ad-5b33-4ff0-acf4-0043cb432844", "eventID": "51b6d859-0cc4-4591-ba76-3494f3f43832", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "eventCategory": "Management", "recipientAccountId": "111111111111"}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/data_sources/aws_cloudtrail_updatetrail.yml b/data_sources/aws_cloudtrail_updatetrail.yml index 265e352353..564b226acd 100644 --- a/data_sources/aws_cloudtrail_updatetrail.yml +++ b/data_sources/aws_cloudtrail_updatetrail.yml @@ -105,3 +105,12 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "prin "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com"}}' +output_fields: +- action +- dest +- user +- user_agent +- src +- vendor_account +- vendor_region +- vendor_product \ No newline at end of file diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index b3bf16236b..eaf8027900 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 6 +version: 7 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production @@ -8,7 +8,13 @@ type: Anomaly description: The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the `DescribeEventAggregates` API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" | bin span=5m _time | stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid | where distinct_ip_count > 1 | rename actor.user.uid as user | `asl_aws_concurrent_sessions_from_different_ips_filter`' +search: '`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal" + | bin span=5m _time + | stats min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid + | where distinct_ip_count > 1 + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. references: @@ -37,7 +43,7 @@ rba: type: user score: 42 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index f73e4719af..fbe7451376 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -1,6 +1,6 @@ name: ASL AWS Create Access Key id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -14,20 +14,14 @@ description: The following analytic identifies the creation of AWS IAM access ke access to AWS services, data exfiltration, and long-term persistence in the environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=CreateAccessKey | fillnull | stats count - min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid - http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as - user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`amazon_security_lake` api.operation=CreateAccessKey + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_create_access_key_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has legitimately created keys for another user. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index d7f2b0d689..ebc5717631 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -1,6 +1,6 @@ name: ASL AWS Create Policy Version to allow all resources id: 22cc7a62-3884-48c4-82da-592b8199b72f -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -14,23 +14,18 @@ description: The following analytic identifies the creation of a new AWS IAM pol to unauthorized actions, data exfiltration, or further compromise of the AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=CreatePolicy | spath input=api.request.data - | spath input=policyDocument | regex Statement{}.Action="\*" | regex Statement{}.Resource="\*" - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation - actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region - api.request.data | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region - as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`|`asl_aws_create_policy_version_to_allow_all_resources_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has legitimately created a policy to allow a user to access all - resources. That said, AWS strongly advises against granting full control to all - AWS resources and you must verify this activity. +search: '`amazon_security_lake` api.operation=CreatePolicy + | spath input=api.request.data + | spath input=policyDocument + | regex Statement{}.Action="\*" + | regex Statement{}.Resource="\*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |`asl_aws_create_policy_version_to_allow_all_resources_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources and you must verify this activity. references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index 808dfd47e7..e97f64423a 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -1,6 +1,6 @@ name: ASL AWS Credential Access GetPasswordData id: a79b607a-50cc-4704-bb9d-eff280cb78c2 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -15,20 +15,15 @@ description: The following analytic identifiesGetPasswordData API calls in your AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=GetPasswordData | spath input=api.request.data - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation - actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region - instanceId | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region - as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` |`asl_aws_credential_access_getpassworddata_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: Administrator tooling or automated scripts may make these calls - but it is highly unlikely to make several calls in a short period of time. +search: '`amazon_security_lake` api.operation=GetPasswordData + | spath input=api.request.data + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region instanceId + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + |`asl_aws_credential_access_getpassworddata_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: Administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time. references: - https://attack.mitre.org/techniques/T1552/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ @@ -53,7 +48,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index c7248c18e7..7105538b78 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -1,6 +1,6 @@ name: ASL AWS Credential Access RDS Password reset id: d15e9bd9-ef64-4d84-bc04-f62955a9fee8 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -16,19 +16,15 @@ description: The following analytic detects the resetting of the master user pas reset. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster - | spath input=api.request.data | search masterUserPassword=* | fillnull | stats - count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid - actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, - http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`amazon_security_lake` api.operation=ModifyDBInstance OR api.operation=ModifyDBCluster + | spath input=api.request.data + | search masterUserPassword=* + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`asl_aws_credential_access_rds_password_reset_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Users may genuinely reset the RDS password. references: - https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds @@ -53,7 +49,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index a04efd1649..0caed90b62 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Delete Cloudtrail id: 1f0b47e5-0134-43eb-851c-e3258638945e -version: 7 +version: 8 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -14,20 +14,14 @@ description: The following analytic detects AWS `DeleteTrail` events within Clou other potential compromises within the AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeleteTrail | fillnull | stats count - min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid - http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as - user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `asl_aws_defense_evasion_delete_cloudtrail_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has stopped cloudTrail logging. Please investigate this activity. +search: '`amazon_security_lake` api.operation=DeleteTrail + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_delete_cloudtrail_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudTrail logging. Please investigate this activity. references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: @@ -51,7 +45,7 @@ rba: type: user score: 90 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index cccf09434f..f13418270d 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Delete CloudWatch Log Group id: 0f701b38-a0fb-43fd-a83d-d12265f71f33 -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -15,20 +15,14 @@ description: The following analytic detects the deletion of CloudWatch log group the compromised AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeleteLogGroup | fillnull | stats count - min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid - http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as - user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| - `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has deleted CloudWatch logging. Please investigate this activity. +search: '`amazon_security_lake` api.operation=DeleteLogGroup + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_delete_cloudwatch_log_group_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has deleted CloudWatch logging. Please investigate this activity. references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: @@ -52,7 +46,7 @@ rba: type: user score: 90 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 33368956c8..5234ae230b 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Impair Security Services id: 5029b681-0462-47b7-82e7-f7e3d37f5a2d -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production @@ -15,21 +15,14 @@ description: The following analytic detects the deletion of critical AWS Securit within the AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation - actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, - http_request.user_agent as user_agent, actor.user.account_uid as aws_account_id - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_impair_security_services_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that it is a legitimate admin activity. Please consider filtering out these noisy - events using userAgent, user_arn field names. +search: '`amazon_security_lake` api.operation IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_impair_security_services_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: - https://docs.aws.amazon.com/cli/latest/reference/guardduty/index.html - https://docs.aws.amazon.com/cli/latest/reference/waf/index.html diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index 1ae40f392d..ce16123a06 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion PutBucketLifecycle id: 986565a2-7707-48ea-9590-37929cebc938 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -14,23 +14,17 @@ description: The following analytic detects `PutBucketLifecycle` events in AWS C tracks, making it difficult to trace their actions and respond to the breach effectively. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=PutBucketLifecycle | spath input=api.request.data - path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays - | where NoncurrentDays < 3 | spath input=api.request.data | fillnull | stats count - min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid - http_request.user_agent src_endpoint.ip cloud.region NoncurrentDays bucketName | - rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, - http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`amazon_security_lake` api.operation=PutBucketLifecycle + | spath input=api.request.data path=LifecycleConfiguration.Rule.NoncurrentVersionExpiration.NoncurrentDays output=NoncurrentDays + | where NoncurrentDays < 3 + | spath input=api.request.data + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region NoncurrentDays bucketName + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_putbucketlifecycle_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that it is a legitimate admin activity. Please consider filtering out these noisy - events using userAgent, user_arn field names. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that it is a legitimate admin activity. Please consider filtering out these noisy events using userAgent, user_arn field names. references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ tags: diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index ab0b74e5d6..8182273cb2 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Stop Logging Cloudtrail id: 0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1 -version: 5 +version: 6 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -17,20 +17,14 @@ description: The following analytic detects `StopLogging` events within AWS Clou by obscuring the attacker's actions. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=StopLogging | fillnull | stats count - min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid - http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as - user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has stopped cloudtrail logging. Please investigate this activity. +search: '`amazon_security_lake` api.operation=StopLogging + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_stop_logging_cloudtrail_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has stopped cloudtrail logging. Please investigate this activity. references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: @@ -48,14 +42,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ has stopped Cloudtrail logging for account id $aws_account_id$ - from IP $src_ip$ + message: User $user$ has stopped Cloudtrail logging for account id $vendor_account$ + from IP $src$ risk_objects: - field: user type: user score: 90 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 55888e23cc..5a1208fb76 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -1,6 +1,6 @@ name: ASL AWS Defense Evasion Update Cloudtrail id: f3eb471c-16d0-404d-897c-7653f0a78cba -version: 5 +version: 6 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -16,20 +16,14 @@ description: The following analytic detects `UpdateTrail` events within AWS Clou being logged, thereby hindering incident response and forensic investigations. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=UpdateTrail | fillnull | stats count - min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid - http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as - user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent, actor.user.account.uid as aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `asl_aws_defense_evasion_update_cloudtrail_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has updated cloudtrail logging. Please investigate this activity. +search: '`amazon_security_lake` api.operation=UpdateTrail + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` + | `asl_aws_defense_evasion_update_cloudtrail_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has updated cloudtrail logging. Please investigate this activity. references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: @@ -47,14 +41,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ has updated a cloudtrail logging for account id $aws_account_id$ - from IP $src_ip$ + message: User $user$ has updated a cloudtrail logging for account id $vendor_account$ + from IP $src$ risk_objects: - field: user type: user score: 90 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 41ee11048f..9ad002d4d2 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,6 +1,6 @@ name: ASL AWS Detect Users creating keys with encrypt policy without MFA id: 16ae9076-d1d5-411c-8fdd-457504b33dac -version: 1 +version: 2 date: '2024-12-16' author: Patrick Bareiss, Splunk status: production @@ -19,8 +19,8 @@ search: '`amazon_security_lake` api.operation=PutKeyPolicy OR api.operation=Crea | search action=kms* | regex principal="\*" | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' how_to_implement: The detection is based on Cloudtrail events from Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index b475b18556..658ec386de 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ name: ASL AWS Disable Bucket Versioning id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc -version: 1 +version: 2 date: '2024-12-16' author: Patrick Bareiss, Splunk status: production @@ -13,8 +13,8 @@ search: '`amazon_security_lake` api.operation=PutBucketVersioning | spath input=api.request.data path=bucketName output=bucketName | search Status=Suspended | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data bucketName - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `asl_aws_disable_bucket_versioning_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It is possible that an AWS Administrator has legitimately disabled versioning on certain buckets to avoid costs. @@ -31,13 +31,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src_ip$ + message: Bucket Versioning is suspended for S3 buckets- $bucketName$ by user $user$ from IP address $src$ risk_objects: - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index baeb005631..ddd4f088e5 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -1,6 +1,6 @@ name: ASL AWS EC2 Snapshot Shared Externally id: 00af8f7f-e004-446b-9bba-2732f717ae27 -version: 1 +version: 2 date: '2024-12-17' author: Patrick Bareiss, Splunk status: production @@ -12,8 +12,8 @@ search: '`amazon_security_lake` api.operation=ModifySnapshotAttribute | spath input=api.request.data path=createVolumePermission.add.items{}.group output=group | search group=all | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region api.request.data - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ec2_snapshot_shared_externally_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: It is possible that an AWS admin has legitimately shared a snapshot with others for a specific purpose. @@ -31,13 +31,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS EC2 snapshot from user $user$ is shared publicly by user $user$ + message: AWS EC2 snapshot from user $user$ is shared publicly risk_objects: - field: user type: user score: 48 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index c4a461916e..a65cf4ea32 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -1,6 +1,6 @@ name: ASL AWS ECR Container Upload Outside Business Hours id: 739ed682-27e9-4ba0-80e5-a91b97698213 -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -15,21 +15,16 @@ description: The following analytic detects the upload of new containers to AWS and their associated impacts. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=PutImage | eval hour=strftime(time/pow(10,3), - "%H"), weekday=strftime(time/pow(10,3), "%A") | where hour >= 20 OR hour < 8 OR - weekday=Saturday OR weekday=Sunday | fillnull | stats count min(_time) as firstTime - max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent - cloud.region | rename actor.user.uid as user, cloud.region as region, http_request.user_agent - as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`amazon_security_lake` api.operation=PutImage + | eval hour=strftime(time/pow(10,3), "%H"), weekday=strftime(time/pow(10,3), "%A") + | where hour >= 20 OR hour < 8 OR weekday=Saturday OR weekday=Sunday + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region api.request.data bucketName + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_outside_business_hours_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: When your development is spreaded in different time zones, - applying this rule can be difficult. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: When your development is spreaded in different time zones, applying this rule can be difficult. references: - https://attack.mitre.org/techniques/T1204/003/ drilldown_searches: diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index 9f92aaa8b3..dcd5166378 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -1,6 +1,6 @@ name: ASL AWS ECR Container Upload Unknown User id: 886a8f46-d7e2-4439-b9ba-aec238e31732 -version: 5 +version: 6 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -17,18 +17,13 @@ description: The following analytic detects unauthorized container uploads to AW cloud environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` | stats - count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid - actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename - actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`amazon_security_lake` api.operation=PutImage NOT `aws_ecr_users_asl` + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_ecr_container_upload_unknown_user_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: unknown references: - https://attack.mitre.org/techniques/T1204/003/ @@ -53,7 +48,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index c4c121d8b5..8108ed6e5b 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM AccessDenied Discovery Events id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2 -version: 1 +version: 2 date: '2025-01-08' author: Patrick Bareiss, Splunk status: production @@ -10,9 +10,9 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.response.error=AccessDenied OR api.response.error=OperationNotPermittedException OR api.response.error=*Unauthorized* actor.user.type=IAMUser | bucket _time span=1h - | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time + | stats count as failures min(_time) as firstTime max(_time) as lastTime dc(api.operation) as dc_operation, dc(api.service.name) as dc_service values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region by _time actor.user.uid | where failures >= 5 AND dc_operation >= 1 AND dc_service >= 1 - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_accessdenied_discovery_events_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index 3eab43490b..760ec5d535 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Assume Role Policy Brute Force id: 726959fe-316d-445c-a584-fa187d64e295 -version: 1 +version: 2 date: '2025-01-08' author: Patrick Bareiss, Splunk status: production @@ -10,9 +10,9 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation="AssumeRole" "api.response.error"=AccessDenied | bucket _time span=1h - | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(src_endpoint.ip) as src_endpoint.ip values(cloud.region) as cloud.region by actor.user.uid _time + | stats count as failures min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region by _time actor.user.uid | where failures >= 3 - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_assume_role_policy_brute_force_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index ea67cfda56..8e9d87425b 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Delete Policy id: 609ced68-d420-4ff7-8164-ae98b4b4018c -version: 5 +version: 6 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production @@ -8,7 +8,12 @@ type: Hunting description: The following analytic identifies when a policy is deleted in AWS. It leverages Amazon Security Lake logs to detect the DeletePolicy API operation. Monitoring policy deletions is crucial as it can indicate unauthorized attempts to weaken security controls. If confirmed malicious, this activity could allow an attacker to remove critical security policies, potentially leading to privilege escalation or unauthorized access to sensitive resources. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeletePolicy | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_delete_policy_filter`' +search: '`amazon_security_lake` api.operation=DeletePolicy + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_iam_delete_policy_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only. references: diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 81c04e1523..f84ecec18c 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 6 +version: 7 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production @@ -8,7 +8,12 @@ type: Anomaly description: The following analytic detects failed attempts to delete AWS IAM groups, triggered by access denial, conflicts, or non-existent groups. It operates by monitoring CloudTrail logs for specific error codes related to deletion failures. This behavior is significant for a SOC as it may indicate unauthorized attempts to modify access controls or disrupt operations by removing groups. Such actions could be part of a larger attack aiming to escalate privileges or impair security protocols. Identifying these attempts allows for timely investigation and mitigation, preventing potential impact on the organizations security posture. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_failure_group_deletion_filter`' +search: '`amazon_security_lake` api.operation=DeleteGroup status=Failure http_request.user_agent!=*.amazonaws.com + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `asl_aws_iam_failure_group_deletion_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: @@ -30,13 +35,13 @@ drilldown_searches: latest_offset: $info_max_time$ rba: message: User $user$ has had mulitple failures while attempting to delete groups - from $src_ip$ + from $src$ risk_objects: - field: user type: user score: 5 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index c6b0e18965..48f44b30d1 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -1,6 +1,6 @@ name: ASL AWS IAM Successful Group Deletion id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -15,18 +15,14 @@ description: The following analytic detects the successful deletion of a group w access to sensitive resources or disruption of AWS environment operations. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=DeleteGroup status=Success | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid - actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename - actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`amazon_security_lake` api.operation=DeleteGroup status=Success + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_iam_successful_group_deletion_filter`' -how_to_implement: You must install the Data Lake Federated Analytics App and ingest - the logs into Splunk. -known_false_positives: This detection will require tuning to provide high fidelity - detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) - or by groups of users. Not every user with AWS access should have permission to - delete groups (least privilege). +how_to_implement: You must install the Data Lake Federated Analytics App and ingest the logs into Splunk. +known_false_positives: This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege). references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 0a6a467261..9f331adb00 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -1,6 +1,6 @@ name: ASL AWS Multi-Factor Authentication Disabled id: 4d2df5e0-1092-4817-88a8-79c7fa054668 -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -15,20 +15,14 @@ description: The following analytic detects attempts to disable multi-factor aut sensitive resources and prolonged compromise. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation - actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, - http_request.user_agent as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`amazon_security_lake` (api.operation=DeleteVirtualMFADevice OR api.operation=DeactivateMFADevice) + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region + | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_multi_factor_authentication_disabled_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: AWS Administrators may disable MFA but it is highly unlikely - for this event to occur without prior notice to the company +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: AWS Administrators may disable MFA but it is highly unlikely for this event to occur without prior notice to the company references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index 62a56cf3bb..88579f1f17 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -1,6 +1,6 @@ name: ASL AWS Network Access Control List Created with All Open Ports id: a2625034-c2de-44fc-b45c-7bac9c4a7974 -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -21,21 +21,12 @@ search: '`amazon_security_lake` api.operation=CreateNetworkAclEntry OR api.opera path=aclProtocol output=aclProtocol | spath input=api.request.data path=cidrBlock output=cidrBlock | spath input=api.request.data path=networkAclId output=networkAclId | search ruleAction=allow AND egress=false AND aclProtocol=-1 AND cidrBlock=0.0.0.0/0 - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by api.operation - actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region - networkAclId cidrBlock | rename actor.user.uid as user, src_endpoint.ip as src_ip, - cloud.region as region, http_request.user_agent as user_agent, actor.user.account.uid - as aws_account_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: It's possible that an admin has created this ACL with all ports - open for some legitimate purpose however, this should be scoped and not allowed - in production environment. + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId cidrBlock + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_created_with_all_open_ports_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment. references: [] drilldown_searches: - name: View the detection results for - "$user$" @@ -58,7 +49,7 @@ rba: type: user score: 48 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index 23067c2c55..59d4c8101d 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -1,6 +1,6 @@ name: ASL AWS Network Access Control List Deleted id: e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -15,21 +15,15 @@ description: The following analytic detects the deletion of AWS Network Access C data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=DeleteNetworkAclEntry status=Success - | spath input=api.request.data path=egress output=egress | spath input=api.request.data - path=networkAclId output=networkAclId | search egress=false | fillnull | stats count - min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid - http_request.user_agent src_endpoint.ip cloud.region networkAclId | rename actor.user.uid - as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent, actor.user.account_uid as aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_deleted_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: It's possible that a user has legitimately deleted a network - ACL. + | spath input=api.request.data path=egress output=egress + | spath input=api.request.data path=networkAclId output=networkAclId + | search egress=false + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region networkAclId + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_network_access_control_list_deleted_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: It's possible that a user has legitimately deleted a network ACL. references: [] drilldown_searches: - name: View the detection results for - "$user$" @@ -46,13 +40,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ from $src_ip$ has sucessfully deleted network ACLs entry. + message: User $user$ from $src$ has sucessfully deleted network ACLs entry. risk_objects: - field: user type: user score: 5 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index e787dbcf30..1412490475 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -1,6 +1,6 @@ name: ASL AWS New MFA Method Registered For User id: 33ae0931-2a03-456b-b1d7-b016c5557fbd -version: 7 +version: 8 date: '2025-02-10' author: Patrick Bareiss, Splunk status: experimental @@ -15,20 +15,14 @@ description: The following analytic identifies the registration of a new Multi-F the compromised environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice | fillnull | - stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid - actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename - actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`amazon_security_lake` api.operation=CreateVirtualMFADevice + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_new_mfa_method_registered_for_user_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: Newly onboarded users who are registering an MFA method for - the first time will also trigger this detection. +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. references: - https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam/ - https://attack.mitre.org/techniques/T1556/ diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml index a33f61d9ed..4c0e69b93e 100644 --- a/detections/cloud/asl_aws_saml_update_identity_provider.yml +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -1,6 +1,6 @@ name: ASL AWS SAML Update identity provider id: 635c26cc-0fd1-4098-8ec9-824bf9544b11 -version: 1 +version: 2 date: '2025-01-09' author: Patrick Bareiss, Splunk status: production @@ -10,8 +10,8 @@ data_source: - ASL AWS CloudTrail search: '`amazon_security_lake` api.operation=UpdateSAMLProvider | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region - | rename actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent as user_agent + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `asl_aws_saml_update_identity_provider_filter`' how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. known_false_positives: Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored. @@ -30,13 +30,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ from IP address $src_ip$ updated the SAML provider + message: User $user$ from IP address $src$ updated the SAML provider risk_objects: - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index c6f1588db7..43dab5c0cd 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -1,6 +1,6 @@ name: ASL AWS UpdateLoginProfile id: 5b3f63a3-865b-4637-9941-f98bd1a50c0d -version: 2 +version: 3 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -15,20 +15,13 @@ description: The following analytic detects an AWS CloudTrail event where a user resources within the AWS environment. data_source: - ASL AWS CloudTrail -search: '`amazon_security_lake` api.operation=UpdateLoginProfile | fillnull | stats - count min(_time) as firstTime max(_time) as lastTime by api.operation actor.user.uid - actor.user.account.uid http_request.user_agent src_endpoint.ip cloud.region | rename - actor.user.uid as user, src_endpoint.ip as src_ip, cloud.region as region, http_request.user_agent - as user_agent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `asl_aws_updateloginprofile_filter`' -how_to_implement: The detection is based on Amazon Security Lake events from Amazon - Web Services (AWS), which is a centralized data lake that provides security-related - data from AWS services. To use this detection, you must ingest CloudTrail logs from - Amazon Security Lake into Splunk. To run this search, ensure that you ingest events - using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) - or the Federated Analytics App. -known_false_positives: While this search has no known false positives, it is possible - that an AWS admin has legitimately created keys for another user. +search: '`amazon_security_lake` api.operation=UpdateLoginProfile + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime by actor.user.uid api.operation api.service.name http_request.user_agent src_endpoint.ip actor.user.account.uid cloud.provider cloud.region + | rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `asl_aws_updateloginprofile_filter`' +how_to_implement: The detection is based on Amazon Security Lake events from Amazon Web Services (AWS), which is a centralized data lake that provides security-related data from AWS services. To use this detection, you must ingest CloudTrail logs from Amazon Security Lake into Splunk. To run this search, ensure that you ingest events using the latest version of Splunk Add-on for Amazon Web Services (https://splunkbase.splunk.com/app/1876) or the Federated Analytics App. +known_false_positives: While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user. references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ @@ -47,14 +40,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user$ from IP address $src_ip$ updated the login profile of another - user - risk_objects: + message: User $user$ from IP address $src$ updated the login profile of another user + risk_objects: - field: user type: user score: 30 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index dbe7760777..1f1fd7d422 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -1,6 +1,6 @@ name: AWS AMI Attribute Modification for Exfiltration id: f2132d74-cf81-4c5e-8799-ab069e67dc9f -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -15,13 +15,14 @@ description: The following analytic detects suspicious modifications to AWS AMI could lead to unauthorized access and potential data breaches, compromising the confidentiality and integrity of organizational information. search: '`cloudtrail` eventName=ModifyImageAttribute (requestParameters.launchPermission.add.items{}.userId - = * OR requestParameters.launchPermission.add.items{}.group = all) | rename requestParameters.launchPermission.add.items{}.group - as group_added | rename requestParameters.launchPermission.add.items{}.userId as - accounts_added | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not - Public") | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) - values(accounts_added) as accounts_added values(ami_status) by src_ip region eventName - userAgent user_arn aws_account_id userIdentity.principalId | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`' + = * OR requestParameters.launchPermission.add.items{}.group = all) + | rename requestParameters.launchPermission.add.items{}.group as group_added + | rename requestParameters.launchPermission.add.items{}.userId as accounts_added + | eval ami_status=if(match(group_added,"all") ,"Public AMI", "Not Public") + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime values(group_added) as group_added values(accounts_added) as accounts_added values(ami_status) as ami_status by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `aws_ami_attribute_modification_for_exfiltration_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS admin has legitimately shared a @@ -31,12 +32,12 @@ references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/ - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -45,14 +46,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS AMI from account $aws_account_id$ is shared externally with $accounts_added$ - from $src_ip$ or AMI made is made Public. + message: AWS AMI from account $vendor_account$ is shared externally with $accounts_added$ + from $src$ or AMI made is made Public. risk_objects: - - field: user_arn + - field: user type: user score: 80 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index fe2a6912a7..9787083dff 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -1,6 +1,6 @@ name: AWS Concurrent Sessions From Different Ips id: 51c04fdb-2746-465a-b86e-b413a09c9085 -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -15,10 +15,14 @@ description: The following analytic identifies an AWS IAM account with concurren exploitation within the AWS environment. data_source: - AWS CloudTrail DescribeEventAggregates -search: '`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" | - bin span=5m _time | stats values(userAgent) values(eventName) values(src_ip) as - src_ip dc(src_ip) as distinct_ip_count by _time user_arn | where distinct_ip_count - > 1 | `aws_concurrent_sessions_from_different_ips_filter`' +search: '`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" + | bin span=5m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats min(_time) as firstTime max(_time) as lastTime values(user_agent) as user_agent values(action) as action values(src) as src values(dest) as dest dc(src) as distinct_ip_count by _time user vendor_account vendor_region vendor_product + | where distinct_ip_count > 1 + | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` + | `aws_concurrent_sessions_from_different_ips_filter`' how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: A user with concurrent sessions from different Ips may also @@ -29,12 +33,12 @@ references: - https://breakdev.org/evilginx-2-next-generation-of-phishing-2fa-tokens/ - https://github.com/kgretzky/evilginx2 drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,14 +47,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has concurrent sessions from more than one unique IP address - $src_ip$ in the span of 5 minutes. + message: User $user$ has concurrent sessions from more than one unique IP address + $src$ in the span of 5 minutes. risk_objects: - - field: user_arn + - field: user type: user score: 42 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index f8f6815c8d..6796bcc648 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -1,6 +1,6 @@ name: AWS Console Login Failed During MFA Challenge id: 55349868-5583-466f-98ab-d3beb321961e -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -15,11 +15,13 @@ description: The following analytic identifies failed authentication attempts to attacks if MFA is bypassed. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" - additionalEventData.MFAUsed = "Yes" | stats count min(_time) as firstTime max(_time) - as lastTime by src eventName eventSource aws_account_id errorCode errorMessage userAgent - eventID awsRegion user_name userIdentity.arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `aws_console_login_failed_during_mfa_challenge_filter`' +search: '`cloudtrail` eventName= ConsoleLogin errorMessage="Failed authentication" additionalEventData.MFAUsed = "Yes" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product additionalEventData.MFAUsed errorMessage + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `aws_console_login_failed_during_mfa_challenge_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: Legitimate users may miss to reply the MFA challenge within @@ -28,12 +30,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for - "$user_name$" - search: '%original_detection_search% | search user_name = "$user_name$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -42,10 +44,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ failed to pass MFA challenge while logging into console + message: User $user$ failed to pass MFA challenge while logging into console from $src$ risk_objects: - - field: user_name + - field: user type: user score: 64 threat_objects: diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index 13339e55f9..9742f0ee35 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -1,6 +1,6 @@ name: AWS Create Policy Version to allow all resources id: 2a9b80d3-6340-4345-b5ad-212bf3d0dac4 -version: 8 +version: 9 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -14,13 +14,15 @@ description: The following analytic identifies the creation of a new AWS IAM pol to unauthorized actions, data exfiltration, or further compromise of the AWS environment. data_source: - AWS CloudTrail CreatePolicyVersion -search: '`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com - errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements - path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements - output=key_policy_action_1 path=Action | where key_policy_action_1 = "*" | stats - count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) - as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID - awsRegion user user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_create_policy_version_to_allow_all_resources_filter`' +search: '`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success + | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} + | mvexpand key_policy_statements + | spath input=key_policy_statements output=key_policy_action_1 path=Action + | where key_policy_action_1 = "*" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_create_policy_version_to_allow_all_resources_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index 8e4db2dd78..d8fb41afe5 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -1,6 +1,6 @@ name: AWS CreateAccessKey id: 2a9b80d3-6340-4345-11ad-212bf3d0d111 -version: 7 +version: 8 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -14,12 +14,13 @@ description: The following analytic identifies the creation of AWS IAM access ke access to AWS services, data exfiltration, and long-term persistence in the environment. data_source: - AWS CloudTrail CreateAccessKey -search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com - errorCode = success | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) - | search match=0 | stats count min(_time) as firstTime max(_time) as lastTime by - requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent - eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`' +search: '`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success + | eval match=if(match(userIdentity.userName,requestParameters.userName),1,0) + | search match=0 + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index 8e8b47aab4..2acc9beb62 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -1,6 +1,6 @@ name: AWS CreateLoginProfile id: 2a9b80d3-6340-4345-11ad-212bf444d111 -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -14,13 +14,16 @@ description: The following analytic identifies the creation of a login profile f to escalate privileges and maintain persistent access to the AWS environment. data_source: - AWS CloudTrail CreateLoginProfile AND AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName - as new_login_profile | table src_ip eventName new_login_profile userIdentity.userName | - join new_login_profile src_ip [| search `cloudtrail` eventName = ConsoleLogin | - rename userIdentity.userName as new_login_profile | stats count values(eventName) - min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode - userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile - src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] +search: '`cloudtrail` eventName = CreateLoginProfile + | rename requestParameters.userName as new_login_profile + | table src_ip eventName new_login_profile userIdentity.userName + | join new_login_profile src_ip + [| search `cloudtrail` eventName = ConsoleLogin + | rename userIdentity.userName as new_login_profile + | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] + | rename eventName as action, eventSource as dest, user_arn as user, userAgent as user_agent, src_ip as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" | `aws_createloginprofile_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -30,12 +33,12 @@ references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -44,14 +47,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ is attempting to create a login profile for $new_login_profile$ - and did a console login from this IP $src_ip$ + message: User $user$ is attempting to create a login profile for $new_login_profile$ + and did a console login from this IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 72 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 4034c85a31..ccf26bb80e 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -1,6 +1,6 @@ name: AWS Credential Access Failed Login id: a19b354d-0d7f-47f3-8ea6-1a7c36434968 -version: 5 +version: 6 date: '2025-02-10' author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production @@ -14,13 +14,12 @@ description: The following analytic identifies unsuccessful login attempts to th resources, leading to data breaches, resource manipulation, or further exploitation within the AWS environment. data_source: -- AWS CloudTrail -search: '| tstats count earliest(_time) as firstTime, latest(_time) as lastTime from - datamodel=Authentication where Authentication.action = failure Authentication.app=AwsConsoleSignIn - Authentication.signature=ConsoleLogin BY Authentication.app Authentication.signature - Authentication.dest Authentication.user Authentication.action Authentication.user_id - Authentication.src | `drop_dm_object_name(Authentication)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - | `aws_credential_access_failed_login_filter`' +- AWS CloudTrail ConsoleLogin +search: '`cloudtrail` eventName = ConsoleLogin errorMessage="Failed authentication" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_credential_access_failed_login_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: Users may genuinely mistype or forget the password. diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index 78e473d83e..366d056882 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -1,6 +1,6 @@ name: AWS Credential Access GetPasswordData id: 4d347c4a-306e-41db-8d10-b46baf71b3e2 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -15,11 +15,14 @@ description: The following analytic identifies more than 10 GetPasswordData API further compromise of the AWS environment. data_source: - AWS CloudTrail GetPasswordData -search: '`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com | bin - _time span=5m | stats count values(errorCode) as errorCode dc(requestParameters.instanceId) - as distinct_instance_ids values(requestParameters.instanceId) as instance_ids by - aws_account_id src_ip user_arn userAgent eventName _time | where distinct_instance_ids - > 10 | `aws_credential_access_getpassworddata_filter`' +search: '`cloudtrail` eventName=GetPasswordData eventSource = ec2.amazonaws.com + | bin _time span=5m + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime dc(requestParameters.instanceId) as distinct_instance_ids by action dest user user_agent src vendor_account vendor_region vendor_product + | where distinct_instance_ids > 10 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_credential_access_getpassworddata_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We encourage the users to adjust the values of `distinct_instance_ids` and tweak the `span` value according to their environment. @@ -29,12 +32,12 @@ references: - https://attack.mitre.org/techniques/T1552/ - https://stratus-red-team.cloud/attack-techniques/AWS/aws.credential-access.ec2-get-password-data/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,14 +46,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ is seen to make mulitple `GetPasswordData` API calls to - instance ids $instance_ids$ from IP $src_ip$ + message: User $user$ is seen to make mulitple `GetPasswordData` API calls to + instance ids $instance_ids$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index 344ab68bfa..1a6310fc2f 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -1,6 +1,6 @@ name: AWS Credential Access RDS Password reset id: 6153c5ea-ed30-4878-81e6-21ecdb198189 -version: 6 +version: 7 date: '2025-02-10' author: Gowthamaraj Rajendran, Splunk status: production @@ -16,21 +16,22 @@ description: The following analytic detects the resetting of the master user pas data_source: - AWS CloudTrail ModifyDBInstance search: '`cloudtrail` eventSource="rds.amazonaws.com" eventName=ModifyDBInstance "requestParameters.masterUserPassword"=* - | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) - as database_id by src awsRegion eventName userAgent user_arn| `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.dBInstanceIdentifier) as database_id by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_credential_access_rds_password_reset_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: Users may genuinely reset the RDS password. references: - https://aws.amazon.com/premiumsupport/knowledge-center/reset-master-user-password-rds drilldown_searches: -- name: View the detection results for - "$database_id$" - search: '%original_detection_search% | search database_id = "$database_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$database_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$database_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index 94cb3378c3..c2c6adda25 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Delete Cloudtrail id: 82092925-9ca1-4e06-98b8-85a2d3889552 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -15,11 +15,11 @@ description: The following analytic detects the deletion of AWS CloudTrail logs leading to prolonged unauthorized access and further exploitation. data_source: - AWS CloudTrail DeleteTrail -search: '`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com - userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as - firstTime max(_time) as lastTime values(requestParameters.name) as deleted_cloudtrail_name - by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`' +search: '`cloudtrail` eventName = DeleteTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudtrail_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible @@ -27,12 +27,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has delete a CloudTrail logging for account id $aws_account_id$ + message: User $user$ has delete a CloudTrail logging for account id $vendor_account$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 90 threat_objects: diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index 1ed54c1b07..3308368693 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Delete CloudWatch Log Group id: d308b0f1-edb7-4a62-a614-af321160710f -version: 5 +version: 6 date: '2025-02-10' author: Gowthamaraj Rajendran, Splunk status: production @@ -15,11 +15,11 @@ description: The following analytic detects the deletion of CloudWatch log group within the compromised AWS environment. data_source: - AWS CloudTrail DeleteLogGroup -search: '`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com - userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as - firstTime max(_time) as lastTime values(requestParameters.logGroupName) as log_group_name - by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`' +search: '`cloudtrail` eventName = DeleteLogGroup eventSource = logs.amazonaws.com userAgent !=console.amazonaws.com errorCode = success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_defense_evasion_delete_cloudwatch_log_group_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible @@ -27,12 +27,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has deleted a CloudWatch logging group for account id $aws_account_id$ + message: User $user$ has deleted a CloudWatch logging group for account id $vendor_account$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 90 threat_objects: diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index e4575b1b7d..7dbfa9ad82 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Impair Security Services id: b28c4957-96a6-47e0-a965-6c767aac1458 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production @@ -23,10 +23,10 @@ data_source: - AWS CloudTrail DeleteLoggingConfiguration - AWS CloudTrail DeleteAlarms search: '`cloudtrail` eventName IN ("DeleteLogStream","DeleteDetector","DeleteIPSet","DeleteWebACL","DeleteRule","DeleteRuleGroup","DeleteLoggingConfiguration","DeleteAlarms") - | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as - eventName values(eventSource) as eventSource values(requestParameters.*) as * by - src region user_arn aws_account_id user_type user_agent errorCode| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_impair_security_services_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index 036da0fa9e..243134cb17 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion PutBucketLifecycle id: ce1c0e2b-9303-4903-818b-0d9002fc6ea4 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel status: production @@ -15,11 +15,12 @@ description: The following analytic detects `PutBucketLifecycle` events in AWS C data_source: - AWS CloudTrail PutBucketLifecycle search: '`cloudtrail` eventName=PutBucketLifecycle user_type=IAMUser errorCode=success - | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days - output=expiration_days | spath path=requestParameters{}.bucketName output=bucket_name - | stats count min(_time) as firstTime max(_time) as lastTime by src region eventName - userAgent user_arn aws_account_id expiration_days bucket_name user_type| `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | where expiration_days < 3 | `aws_defense_evasion_putbucketlifecycle_filter`' + | spath path=requestParameters{}.LifecycleConfiguration{}.Rule{}.Expiration{}.Days output=expiration_days + | spath path=requestParameters{}.bucketName output=bucket_name + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name expiration_days + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_defense_evasion_putbucketlifecycle_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. We recommend our users to set the expiration days value according to your company's log retention policies. diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index e459980cb4..1373c8781b 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Stop Logging Cloudtrail id: 8a2f3ca2-4eb5-4389-a549-14063882e537 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -15,11 +15,11 @@ description: The following analytic detects `StopLogging` events in AWS CloudTra to unauthorized access or data exfiltration. data_source: - AWS CloudTrail StopLogging -search: '`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com - userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as - firstTime max(_time) as lastTime values(requestParameters.name) as stopped_cloudtrail_name - by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`' +search: '`cloudtrail` eventName = StopLogging eventSource = cloudtrail.amazonaws.com userAgent!=console.amazonaws.com errorCode = success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_defense_evasion_stop_logging_cloudtrail_filter`' how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible @@ -27,12 +27,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has stopped Cloudtrail logging for account id $aws_account_id$ + message: User $user$ has stopped Cloudtrail logging for account id $vendor_account$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 90 threat_objects: diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index 8e6052f1b5..71a3be13fb 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -1,6 +1,6 @@ name: AWS Defense Evasion Update Cloudtrail id: 7c921d28-ef48-4f1b-85b3-0af8af7697db -version: 5 +version: 6 date: '2025-02-10' author: Gowthamaraj Rajendran, Splunk status: production @@ -15,11 +15,11 @@ description: The following analytic detects `UpdateTrail` events in AWS CloudTra security of the AWS environment. data_source: - AWS CloudTrail UpdateTrail -search: '`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com - userAgent !=console.amazonaws.com errorCode = success| stats count min(_time) as - firstTime max(_time) as lastTime values(requestParameters.name) as cloudtrail_name - by src region eventName userAgent user_arn aws_account_id | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`' +search: '`cloudtrail` eventName = UpdateTrail eventSource = cloudtrail.amazonaws.com userAgent !=console.amazonaws.com errorCode = success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `aws_defense_evasion_update_cloudtrail_filter`' how_to_implement: You must install Splunk AWS Add on and enable CloudTrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible @@ -27,12 +27,12 @@ known_false_positives: While this search has no known false positives, it is pos references: - https://attack.mitre.org/techniques/T1562/008/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has updated a cloudtrail logging for account id $aws_account_id$ + message: User $user$ has updated a cloudtrail logging for account id $vendor_account$ from IP $src$ risk_objects: - - field: user_arn + - field: user type: user score: 90 threat_objects: diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index c5241c74bc..52c5bb40a6 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,6 +1,6 @@ name: AWS Detect Users creating keys with encrypt policy without MFA id: c79c164f-4b21-4847-98f9-cf6a9f49179e -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Patrick Bareiss Splunk status: production @@ -16,15 +16,18 @@ description: The following analytic detects the creation of AWS KMS keys with an data_source: - AWS CloudTrail CreateKey - AWS CloudTrail PutKeyPolicy -search: '`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy - output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | - spath input=key_policy_statements output=key_policy_action_1 path=Action | spath - input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, - key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal - path=Principal.AWS | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" - | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource - eventID awsRegion userIdentity.principalId user | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' +search: '`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy + | spath input=requestParameters.policy output=key_policy_statements path=Statement{} + | mvexpand key_policy_statements + | spath input=key_policy_statements output=key_policy_action_1 path=Action + | spath input=key_policy_statements output=key_policy_action_2 path=Action{} + | eval key_policy_action=mvappend(key_policy_action_1,key_policy_action_2) + | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS + | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product key_policy_action key_policy_principal + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs known_false_positives: unknown diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index 074c3883c1..9296c2c437 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -1,6 +1,6 @@ name: AWS Detect Users with KMS keys performing encryption S3 id: 884a5f59-eec7-4f4a-948b-dbde18225fdc -version: 5 +version: 6 date: '2024-11-14' author: Rod Soto, Patrick Bareiss Splunk status: production @@ -15,12 +15,11 @@ description: The following analytic identifies users with KMS keys performing en data_source: - AWS CloudTrail search: '`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms" - | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source - AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime - max(_time) as lastTime values(bucketName) as bucketName values(src_file) AS src_file - values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS - region values(src) AS src by user | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` - |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`' + | rename requestParameters.bucketName AS bucketName, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucketName src_file dest_file + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `aws_detect_users_with_kms_keys_performing_encryption_s3_filter`' how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs known_false_positives: There maybe buckets provisioned with S3 encryption diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index 8fd550eba5..633072c453 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -1,6 +1,6 @@ name: AWS Disable Bucket Versioning id: 657902a9-987d-4879-a1b2-e7a65512824b -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -15,10 +15,10 @@ description: The following analytic detects when AWS S3 bucket versioning is sus lead to data loss and hinder recovery efforts, severely impacting data integrity and availability. search: '`cloudtrail` eventName= PutBucketVersioning "requestParameters.VersioningConfiguration.Status"=Suspended - | stats count values(requestParameters.bucketName) as bucket_name values(resources{}.ARN) - as resource_arn by src_ip aws_account_id awsRegion eventName userAgent user_arn - userIdentity.principalId errorCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| - `aws_disable_bucket_versioning_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region, requestParameters.bucketName as bucket_name + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_disable_bucket_versioning_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS Administrator has legitimately disabled @@ -27,12 +27,12 @@ references: - https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82 - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,14 +41,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user_arn$ - from IP address $src_ip$ + message: Bucket Versioning is suspended for S3 buckets- $bucket_name$ by user $user$ + from IP address $src$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index 8b0bed9a24..b5b351c84d 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -1,6 +1,6 @@ name: AWS EC2 Snapshot Shared Externally id: 2a9b80d3-6340-4345-b5ad-290bf3d222c4 -version: 6 +version: 7 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -15,11 +15,16 @@ description: The following analytic detects when an EC2 snapshot is shared with of the compromised information. data_source: - AWS CloudTrail ModifySnapshotAttribute -search: '`cloudtrail` eventName=ModifySnapshotAttribute | rename requestParameters.createVolumePermission.add.items{}.userId - as requested_account_id | search requested_account_id != NULL | eval match=if(requested_account_id==aws_account_id,"Match","No - Match") | table _time user_arn src_ip requestParameters.attributeType requested_account_id - aws_account_id match vendor_region user_agent userIdentity.principalId | where match - = "No Match" | `aws_ec2_snapshot_shared_externally_filter`' +search: '`cloudtrail` eventName=ModifySnapshotAttribute + | rename requestParameters.createVolumePermission.add.items{}.userId as requested_account_id + | search requested_account_id != NULL + | eval match=if(requested_account_id==aws_account_id,"Match","No Match") + | where match = "No Match" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_ec2_snapshot_shared_externally_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS admin has legitimately shared a @@ -29,12 +34,12 @@ references: - https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ebs-snapshot/ - https://hackingthe.cloud/aws/enumeration/loot_public_ebs_snapshots/ drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,14 +48,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS EC2 snapshot from account $aws_account_id$ is shared with $requested_account_id$ - by user $user_arn$ from $src_ip$ + message: AWS EC2 snapshot from account $vendor_account$ is shared with $requested_account_id$ + by user $user$ from $src$ risk_objects: - - field: user_arn + - field: user type: user score: 48 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml index 5725fbb00d..3714ddbd98 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Scanning Findings High id: 30a0e9f8-f1dd-4f9d-8fc2-c622461d781c -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -17,13 +17,14 @@ description: The following analytic identifies high-severity findings from AWS E data_source: - AWS CloudTrail DescribeImageScanFindings search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings - | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand - findings | spath input=findings | search severity=HIGH | rename name as finding_name, - description as finding_description, requestParameters.imageId.imageDigest as imageDigest, - requestParameters.repositoryName as repository, userIdentity.principalId as user - | eval finding = finding_name.", ".finding_description | eval phase="release" | - eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, - eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity + | spath path=responseElements.imageScanFindings.findings{} output=findings + | mvexpand findings + | spath input=findings + | search severity=HIGH + | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product finding_name finding_description imageDigest repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_high_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -31,12 +32,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for - "$repository$" - search: '%original_detection_search% | search repository = "$repository$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index b9aa8443f3..106f0ae2ed 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Scanning Findings Low Informational Unknown id: cbc95e44-7c22-443f-88fd-0424478f5589 -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Eric McGinnis Splunk status: production @@ -16,14 +16,15 @@ description: The following analytic identifies low, informational, or unknown se data_source: - AWS CloudTrail DescribeImageScanFindings search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings - | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand - findings | spath input=findings| search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") - | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest - as imageDigest, requestParameters.repositoryName as repository, userIdentity.principalId - as user | eval finding = finding_name.", ".finding_description | eval phase="release" - | eval severity="low" | stats min(_time) as firstTime max(_time) as lastTime by - awsRegion, eventName, eventSource, imageDigest, repository, user, src_ip, finding, - phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | spath path=responseElements.imageScanFindings.findings{} output=findings + | mvexpand findings + | spath input=findings + | search severity IN ("LOW", "INFORMATIONAL", "UNKNOWN") + | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product finding_name finding_description imageDigest repository + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_low_informational_unknown_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -31,12 +32,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for - "$repository$" - search: '%original_detection_search% | search repository = "$repository$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -45,7 +46,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Vulnerabilities with severity $severity$ found in repository $repository$ + message: Vulnerabilities found in repository $repository$ risk_objects: - field: user type: user diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index 92b1b9ea7d..4f7b7f2c14 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Scanning Findings Medium id: 0b80e2c8-c746-4ddb-89eb-9efd892220cf -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -16,13 +16,14 @@ description: The following analytic identifies medium-severity findings from AWS data_source: - AWS CloudTrail DescribeImageScanFindings search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=DescribeImageScanFindings - | spath path=responseElements.imageScanFindings.findings{} output=findings | mvexpand - findings | spath input=findings| search severity=MEDIUM | rename name as finding_name, - description as finding_description, requestParameters.imageId.imageDigest as imageDigest, - requestParameters.repositoryName as repository, userIdentity.principalId as user| - eval finding = finding_name.", ".finding_description | eval phase="release" | eval - severity="medium" | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, - eventName, eventSource, imageDigest, repository, user, src_ip, finding, phase, severity + | spath path=responseElements.imageScanFindings.findings{} output=findings + | mvexpand findings + | spath input=findings + | search severity=MEDIUM + | rename name as finding_name, description as finding_description, requestParameters.imageId.imageDigest as imageDigest, requestParameters.repositoryName as repository + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product finding_name finding_description imageDigest repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_scanning_findings_medium_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -30,12 +31,12 @@ known_false_positives: unknown references: - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html drilldown_searches: -- name: View the detection results for - "$repository$" - search: '%original_detection_search% | search repository = "$repository$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$repository$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$repository$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -44,7 +45,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Vulnerabilities with severity $severity$ found in repository $repository$ + message: Vulnerabilities with severity medium found in repository $repository$ risk_objects: - field: user type: user diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index c72dfc4012..ec7d22be55 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Upload Outside Business Hours id: d4c4d4eb-3994-41ca-a25e-a82d64e125bb -version: 6 +version: 7 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -16,10 +16,12 @@ description: The following analytic detects the upload of a new container image data_source: - AWS CloudTrail PutImage search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage date_hour>=20 - OR date_hour<8 OR date_wday=saturday OR date_wday=sunday | rename requestParameters.* - as * | rename repositoryName AS repository | eval phase="release" | eval severity="medium" - | stats min(_time) as firstTime max(_time) as lastTime by awsRegion, eventName, - eventSource, user, userName, src_ip, imageTag, registryId, repository, phase, severity + OR date_hour<8 OR date_wday=saturday OR date_wday=sunday + | rename requestParameters.* as * + | rename repositoryName AS repository + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product repository | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_outside_business_hours_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -48,7 +50,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index 345bf6d589..ecf00814e5 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -1,6 +1,6 @@ name: AWS ECR Container Upload Unknown User id: 300688e4-365c-4486-a065-7c884462b31d -version: 5 +version: 6 date: '2025-02-10' author: Patrick Bareiss, Splunk status: production @@ -15,10 +15,12 @@ description: The following analytic detects the upload of a new container image data_source: - AWS CloudTrail PutImage search: '`cloudtrail` eventSource=ecr.amazonaws.com eventName=PutImage NOT `aws_ecr_users` - | rename requestParameters.* as * | rename repositoryName AS image | eval phase="release" - | eval severity="high" | stats min(_time) as firstTime max(_time) as lastTime by - awsRegion, eventName, eventSource, user, userName, src_ip, imageTag, registryId, - image, phase, severity | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | rename requestParameters.* as * + | rename repositoryName AS image + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product image + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_ecr_container_upload_unknown_user_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -46,7 +48,7 @@ rba: type: user score: 49 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index 777ddb58a0..5451636bfb 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -1,6 +1,6 @@ name: AWS Excessive Security Scanning id: 1fdd164a-def8-4762-83a9-9ffe24e74d5a -version: 4 +version: 5 date: '2024-11-14' author: Patrick Bareiss, Splunk status: production @@ -14,11 +14,13 @@ description: The following analytic identifies excessive security scanning activ exploitation of your cloud infrastructure. data_source: - AWS CloudTrail -search: '`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | - stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime - values(eventName) as command values(src) as src values(userAgent) as userAgent by - user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`' +search: '`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* + | fillnull + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(action) as dc_events min(_time) as firstTime max(_time) as lastTime values(action) as action values(dest) as dest values(user_agent) as user_agent values(src) as src values(vendor_account) as vendor_account values(vendor_region) as vendor_region by user + | where dc_events > 50 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|`aws_excessive_security_scanning_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives. @@ -40,7 +42,7 @@ drilldown_searches: latest_offset: $info_max_time$ rba: message: User $user$ has excessive number of api calls $dc_events$ from these IP - addresses $src$, violating the threshold of 50, using the following commands $command$. + addresses $src$, violating the threshold of 50, using the following actions $action$. risk_objects: - field: user type: user diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index 76a669be53..ac279b1848 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via Anomalous GetObject API Activity id: e4384bbf-5835-4831-8d85-694de6ad2cc6 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -14,9 +14,13 @@ description: The following analytic identifies anomalous GetObject API activity within a 10-minute window. This activity is significant as it may indicate unauthorized data access or exfiltration from S3 buckets. If confirmed malicious, attackers could exfiltrate sensitive data, leading to data breaches and compliance violations. -search: '`cloudtrail` eventName=GetObject | bin _time span=10m | stats count values(requestParameters.bucketName) - as bucketName by _time src_ip aws_account_id user_type user_arn userIdentity.principalId - | anomalydetection "count" "user_type" "user_arn" action=annotate | search probable_cause=* +search: '`cloudtrail` eventName=GetObject + | bin _time span=10m + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count values(requestParameters.bucketName) as bucketName by action dest user user_agent src vendor_account vendor_region vendor_product + | anomalydetection "count" "user" action=annotate + | search probable_cause=* |`aws_exfiltration_via_anomalous_getobject_api_activity_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -28,12 +32,12 @@ references: - https://docs.splunk.com/Documentation/Splunk/9.0.4/SearchReference/Anomalydetection - https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -42,13 +46,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Anomalous S3 activities detected by user $user_arn$ from $src_ip$ + message: Anomalous S3 activities detected by user $user$ from $src$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index 5e36251cd2..4b76762dcb 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via Batch Service id: 04455dd3-ced7-480f-b8e6-5469b99e98e2 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -14,10 +14,12 @@ description: The following analytic identifies the creation of AWS Batch jobs th to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information. -search: '`cloudtrail` eventName = JobCreated | stats count min(_time) as firstTime - max(_time) as lastTime values(serviceEventDetails.jobArn) as job_arn values(serviceEventDetails.status) - as status by src_ip aws_account_id eventName errorCode userAgent | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`' +search: '`cloudtrail` eventName = JobCreated + | fillnull + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_batch_service_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS Administrator or a user has legitimately @@ -26,12 +28,12 @@ references: - https://hackingthe.cloud/aws/exploitation/s3-bucket-replication-exfiltration/ - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -40,13 +42,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS Batch Job is created on account id - $aws_account_id$ from src_ip $src_ip$ + message: AWS Batch Job is created on account id - $vendor_account$ from src_ip $src$ risk_objects: - - field: aws_account_id + - field: user type: other score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index 496174416a..93c4a38b18 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via Bucket Replication id: eeb432d6-2212-43b6-9e89-fcd753f7da4c -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -15,10 +15,10 @@ description: The following analytic detects API calls to enable S3 bucket replic could replicate sensitive data to external accounts, leading to data breaches and compliance violations. search: '`cloudtrail` eventName = PutBucketReplication eventSource = s3.amazonaws.com - | rename requestParameters.* as * | stats count values(bucketName) as source_bucket - values(ReplicationConfiguration.Rule.ID) as rule_id values(ReplicationConfiguration.Rule.Destination.Bucket) - as destination_bucket by _time user_arn userName user_type src_ip aws_account_id - userIdentity.principalId user_agent | `aws_exfiltration_via_bucket_replication_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region, requestParameters.bucketName as bucket_name + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product bucket_name + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_bucket_replication_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS admin has legitimately implemented @@ -42,14 +42,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: AWS Bucket Replication rule $rule_id$ added on $source_bucket$ to $destination_bucket$ - by user $user_arn$ from IP Address - $src_ip$ + message: AWS Bucket Replication rule added to $bucket_name$ + by user $user$ from IP Address - $src$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index 74dd45c149..b0e454b109 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via DataSync Task id: 05c4b09f-ea28-4c7c-a7aa-a246f665c8a2 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -15,10 +15,11 @@ description: The following analytic detects the creation of an AWS DataSync task this could result in unauthorized access to sensitive information, causing severe data breaches and compliance violations. search: '`cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com" - | rename requestParameters.* as * | stats count min(_time) as firstTime max(_time) - as lastTime by src_ip aws_account_id awsRegion eventName destinationLocationArn - sourceLocationArn userAgent user_arn userIdentity.principalId errorCode | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' + | rename requestParameters.* as * + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product destinationLocationArn sourceLocationArn + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_exfiltration_via_datasync_task_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: It is possible that an AWS Administrator has legitimately created @@ -29,11 +30,11 @@ references: - https://www.shehackske.com/how-to/data-exfiltration-on-cloud-1606/ drilldown_searches: - name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -42,14 +43,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: DataSync task created on account id - $aws_account_id$ by user $user_arn$ - from src_ip $src_ip$ + message: DataSync task created on account id - $vendor_account$ by user $user$ + from src_ip $src$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 713d7de058..29dcbe0b67 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -1,6 +1,6 @@ name: AWS Exfiltration via EC2 Snapshot id: ac90b339-13fc-4f29-a18c-4abbba1f2171 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -18,12 +18,14 @@ description: The following analytic detects a series of AWS API calls related to externally. If confirmed malicious, the attacker could gain access to sensitive information stored in the snapshots, leading to data breaches and potential compliance violations. -search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", - "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" - | bin _time span=5m | stats count dc(eventName) as distinct_api_calls values(eventName) values(requestParameters.attributeType) - as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) - as aws_account_id_added values(userAgent) as userAgent by _time userName src_ip - aws_account_id | where distinct_api_calls >= 2 | `aws_exfiltration_via_ec2_snapshot_filter`' +search: '`cloudtrail` eventName IN ("CreateSnapshot", "DescribeSnapshotAttribute", "ModifySnapshotAttribute", "DeleteSnapshot") src_ip !="guardduty.amazonaws.com" + | bin _time span=5m + | eval vendor_product = "AWS" + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | stats count dc(action) as distinct_api_calls values(action) as action values(dest) as dest values(requestParameters.attributeType) as attributeType values(requestParameters.createVolumePermission.add.items{}.userId) as aws_account_id_added values(user_agent) as user_agent by _time user src vendor_account vendor_region vendor_product + | where distinct_api_calls >= 2 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_exfiltration_via_ec2_snapshot_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. We have intentionally removed `guardduty.amazonaws.com` from src_ip to remove false positives caused by guard duty. We recommend you adjust @@ -37,12 +39,12 @@ references: - https://bleemb.medium.com/data-exfiltration-with-native-aws-s3-features-c94ae4d13436 - https://stratus-red-team.cloud/attack-techniques/list/ drilldown_searches: -- name: View the detection results for - "$aws_account_id$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -51,14 +53,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: Potential AWS EC2 Exfiltration detected on account id - $aws_account_id$ - by user $userName$ from src_ip $src_ip$ + message: Potential AWS EC2 Exfiltration detected on account id - $vendor_account$ + by user $user$ from src_ip $src$ risk_objects: - - field: userName + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index 577fbd911f..d9afb8b908 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -1,6 +1,6 @@ name: AWS High Number Of Failed Authentications For User id: e3236f49-daf3-4b70-b808-9290912ac64d -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -14,10 +14,14 @@ description: The following analytic detects an AWS account experiencing more tha the threshold based on their specific environment to reduce false positives. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time - | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) - by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts - > 20 | `aws_high_number_of_failed_authentications_for_user_filter`' +search: '`cloudtrail` eventName=ConsoleLogin action=failure + | bucket span=10m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(_raw) AS failed_attempts values(src) as src values(user_agent) as user_agent by _time, user, action, dest, vendor_account vendor_region, vendor_product + | where failed_attempts > 20 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_high_number_of_failed_authentications_for_user_filter`' how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: A user with more than 20 failed authentication attempts in @@ -25,12 +29,12 @@ known_false_positives: A user with more than 20 failed authentication attempts i references: - https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html drilldown_searches: -- name: View the detection results for - "$user_name$" - search: '%original_detection_search% | search user_name = "$user_name$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -39,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ failed to authenticate more than 20 times in the span - of 5 minutes for AWS Account $aws_account_id$ + message: User $user$ failed to authenticate more than 20 times in the span + of 5 minutes for AWS Account $vendor_account$ risk_objects: - - field: user_name + - field: user type: user score: 35 threat_objects: [] diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index 330c094796..80213c5005 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -1,6 +1,6 @@ name: AWS High Number Of Failed Authentications From Ip id: f75b7f1a-b8eb-4975-a214-ff3e0a944757 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -14,10 +14,14 @@ description: The following analytic detects an IP address with 20 or more failed of AWS resources. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=5m _time - | stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) - by _time, src_ip, eventName, eventSource aws_account_id | where failed_attempts - > 20 | `aws_high_number_of_failed_authentications_from_ip_filter`' +search: '`cloudtrail` eventName=ConsoleLogin action=failure + | bucket span=10m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(_raw) AS failed_attempts values(user) as user values(user_agent) as user_agent by _time, src, action, dest, vendor_account vendor_region, vendor_product + | where failed_attempts > 20 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_high_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. @@ -28,12 +32,12 @@ references: - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ - https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/ drilldown_searches: -- name: View the detection results for - "$tried_accounts$" - search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' +- name: View the detection results for - "$src$" + search: '%original_detection_search% | search src = "$src$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") +- name: View risk events for the last 7 days for - "$src$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,9 +47,9 @@ drilldown_searches: latest_offset: $info_max_time$ rba: message: 'Multiple failed console login attempts (Count: $failed_attempts$) against - users from IP Address - $src_ip$' + users from IP Address - $src$' risk_objects: - - field: tried_accounts + - field: user type: user score: 54 threat_objects: [] diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index b35a8f0526..f3f2d7600f 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -1,6 +1,6 @@ name: AWS IAM AccessDenied Discovery Events id: 3e1f1568-9633-11eb-a69c-acde48001122 -version: 5 +version: 6 date: '2024-11-14' author: Michael Haag, Splunk status: production @@ -15,10 +15,13 @@ description: The following analytic identifies excessive AccessDenied events wit data_source: - AWS CloudTrail search: '`cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com) - | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) - as lastTime, dc(eventName) as methods, dc(eventSource) as sources by src_ip, userIdentity.arn, - _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`' + | bucket _time span=1h + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(action) as methods, dc(dest) as sources values(action) as action values(dest) as dest by src, user, vendor_account vendor_region, vendor_product + | where failures >= 5 and methods >= 1 and sources >= 1 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | `aws_iam_accessdenied_discovery_events_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: It is possible to start this detection will need to be tuned @@ -27,12 +30,12 @@ known_false_positives: It is possible to start this detection will need to be tu references: - https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-permission-errors/ drilldown_searches: -- name: View the detection results for - "$userIdentity.arn$" - search: '%original_detection_search% | search userIdentity.arn = "$userIdentity.arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$userIdentity.arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -41,14 +44,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $userIdentity.arn$ is seen to perform excessive number of discovery + message: User $user$ is seen to perform excessive number of discovery related api calls- $failures$, within an hour where the access was denied. risk_objects: - - field: userIdentity.arn + - field: user type: user score: 10 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index 53c734eb11..5950c7d510 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -1,6 +1,6 @@ name: AWS IAM Assume Role Policy Brute Force id: f19e09b0-9308-11eb-b7ec-acde48001122 -version: 4 +version: 5 date: '2024-11-14' author: Michael Haag, Splunk status: production @@ -15,12 +15,12 @@ description: The following analytic detects multiple failed attempts to assume a data and services. data_source: - AWS CloudTrail -search: '`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure - (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as - lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource - aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion - userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`' +search: '`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src, user, vendor_account vendor_region, vendor_product, action, dest, errorCode + | where count >= 2 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment. @@ -32,12 +32,12 @@ references: - https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/ - https://www.elastic.co/guide/en/security/current/aws-iam-brute-force-of-assume-role-policy.html drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -46,10 +46,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has caused multiple failures with errorCode $errorCode$, + message: User $user$ has caused multiple failures with errorCode $errorCode$, which potentially means adversary is attempting to identify a role name. risk_objects: - - field: user_arn + - field: user type: user score: 28 threat_objects: diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index 3ce2296eff..9a1ff45d95 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -1,6 +1,6 @@ name: AWS IAM Delete Policy id: ec3a9362-92fe-11eb-99d0-acde48001122 -version: 4 +version: 5 date: '2024-11-14' author: Michael Haag, Splunk status: production @@ -15,11 +15,11 @@ description: The following analytic detects the deletion of an IAM policy in AWS the integrity and security of the AWS environment. data_source: - AWS CloudTrail DeletePolicy -search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats - count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) - as policyArn by src user_arn eventName eventSource aws_account_id errorCode errorMessage - userAgent eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`' +search: '`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: This detection will require tuning to provide high fidelity diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index b69c6f006d..c2d7f3f6be 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -1,6 +1,6 @@ name: AWS IAM Failure Group Deletion id: 723b861a-92eb-11eb-93b8-acde48001122 -version: 6 +version: 7 date: '2024-11-14' author: Michael Haag, Splunk status: production @@ -15,12 +15,11 @@ description: The following analytic identifies failed attempts to delete AWS IAM within the AWS environment. data_source: - AWS CloudTrail DeleteGroup -search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode - IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) - | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) - as group_name by src eventName eventSource aws_account_id errorCode errorMessage - userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`' +search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: This detection will require tuning to provide high fidelity @@ -31,12 +30,12 @@ references: - https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html - https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -45,10 +44,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has had mulitple failures while attempting to delete groups + message: User $user$ has had mulitple failures while attempting to delete groups from $src$ risk_objects: - - field: user_arn + - field: user type: user score: 5 threat_objects: diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index cc47b126e9..95b05b3e42 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -1,6 +1,6 @@ name: AWS IAM Successful Group Deletion id: e776d06c-9267-11eb-819b-acde48001122 -version: 6 +version: 7 date: '2025-02-10' author: Michael Haag, Splunk status: production @@ -15,11 +15,11 @@ description: The following analytic identifies the successful deletion of an IAM to assess the broader context. data_source: - AWS CloudTrail DeleteGroup -search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success - (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as - lastTime values(requestParameters.groupName) as group_deleted by src eventName eventSource - errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`' +search: '`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`' how_to_implement: The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: This detection will require tuning to provide high fidelity diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index a56d5651f3..cead07f377 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -1,6 +1,6 @@ name: AWS Lambda UpdateFunctionCode id: 211b80d3-6340-4345-11ad-212bf3d0d111 -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -14,10 +14,11 @@ description: The following analytic identifies IAM users attempting to update or compromising the integrity and security of your AWS infrastructure. data_source: - AWS CloudTrail -search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode - = success user_type=IAMUser | stats count min(_time) as firstTime max(_time) as - lastTime values(requestParameters.functionName) as function_updated by src_ip user_arn - user_agent user_type eventName aws_account_id |`aws_lambda_updatefunctioncode_filter`' +search: '`cloudtrail` eventSource=lambda.amazonaws.com eventName=UpdateFunctionCode* errorCode = success user_type=IAMUser + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_lambda_updatefunctioncode_filter`' how_to_implement: You must install Splunk AWS Add on and enable Cloudtrail logs in your AWS Environment. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index 6d85bd5101..89e34fd41d 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -1,6 +1,6 @@ name: AWS Multi-Factor Authentication Disabled id: 374832b1-3603-420c-b456-b373e24d34c0 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -16,9 +16,10 @@ data_source: - AWS CloudTrail DeleteVirtualMFADevice - AWS CloudTrail DeactivateMFADevice search: '`cloudtrail` (eventName= DeleteVirtualMFADevice OR eventName=DeactivateMFADevice) - | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource - aws_account_id userAgent eventID awsRegion user_name userIdentity.arn status | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multi_factor_authentication_disabled_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: AWS Administrators may disable MFA but it is highly unlikely @@ -27,14 +28,14 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for - "$aws_account_id$" and "$user_name$" - search: '%original_detection_search% | search aws_account_id = "$aws_account_id$" - user_name = "$user_name$"' +- name: View the detection results for - "$vendor_account$" and "$user$" + search: '%original_detection_search% | search vendor_account = "$vendor_account$" + user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$aws_account_id$" and "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$aws_account_id$", - "$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) +- name: View risk events for the last 7 days for - "$vendor_account$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$vendor_account$", + "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" @@ -42,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ has disabled Multi-Factor authentication for AWS account - $aws_account_id$ + message: User $user$ has disabled Multi-Factor authentication for AWS account + $vendor_account$ risk_objects: - - field: user_name + - field: user type: user score: 64 threat_objects: diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 4f1a8a187f..5364cabcce 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -1,6 +1,6 @@ name: AWS Multiple Failed MFA Requests For User id: 1fece617-e614-4329-9e61-3ba228c0f353 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel status: production @@ -14,10 +14,13 @@ description: The following analytic identifies multiple failed multi-factor auth AWS environment, potentially compromising sensitive data and resources. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed - authentication" | bucket span=5m _time | stats dc(_raw) as mfa_prompts values(userAgent) - as userAgent values(src) as src by _time user_name user_arn aws_account_id eventName - errorMessage | where mfa_prompts > 10| `aws_multiple_failed_mfa_requests_for_user_filter`' +search: '`cloudtrail` eventName= ConsoleLogin "additionalEventData.MFAUsed"=Yes errorMessage="Failed authentication" + | bucket span=5m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(_raw) as mfa_prompts min(_time) as firstTime max(_time) as lastTime values(user_agent) as user_agent values(src) as src by _time user dest action vendor_account vendor_region vendor_product errorMessage + | where mfa_prompts > 10 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. known_false_positives: Multiple Failed MFA requests may also be a sign of authentication @@ -26,12 +29,12 @@ references: - https://attack.mitre.org/techniques/T1621/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for - "$user_name$" - search: '%original_detection_search% | search user_name = "$user_name$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -40,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ is seen to have high number of MFA prompt failures within + message: User $user$ is seen to have high number of MFA prompt failures within a short period of time. risk_objects: - - field: user_name + - field: user type: user score: 64 threat_objects: diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 82e904fe15..8430271670 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,6 +1,6 @@ name: AWS Multiple Users Failing To Authenticate From Ip id: 71e1fb89-dd5f-4691-8523-575420de4630 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel status: production @@ -15,9 +15,13 @@ description: The following analytic identifies a single source IP failing to aut environment. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time - | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by - _time, src_ip | where unique_accounts>30 | `aws_multiple_users_failing_to_authenticate_from_ip_filter`' +search: '`cloudtrail` eventName=ConsoleLogin action=failure + | bucket span=10m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(user) AS unique_accounts values(user) as user values(user_agent) as user_agent by _time, src, action, dest, vendor_account, vendor_region, vendor_product + | where unique_accounts>30 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the tried account threshold to tune this search according to their environment. @@ -28,12 +32,12 @@ references: - https://www.whiteoaksecurity.com/blog/goawsconsolespray-password-spraying-tool/ - https://softwaresecuritydotblog.wordpress.com/2019/09/28/how-to-protect-against-credential-stuffing-on-aws/ drilldown_searches: -- name: View the detection results for - "$tried_accounts$" - search: '%original_detection_search% | search tried_accounts = "$tried_accounts$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$tried_accounts$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$tried_accounts$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,13 +47,13 @@ drilldown_searches: latest_offset: $info_max_time$ rba: message: 'Multiple failed console login attempts (Count: $unique_accounts$) against - users from IP Address - $src_ip$' + users from IP Address - $src$' risk_objects: - - field: tried_accounts + - field: user type: user score: 54 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index a392435e99..53a0b53635 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -1,6 +1,6 @@ name: AWS Network Access Control List Created with All Open Ports id: ada0f478-84a8-4641-a3f1-d82362d6bd75 -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Patrick Bareiss, Splunk status: production @@ -16,16 +16,15 @@ description: The following analytic detects the creation of AWS Network Access C data_source: - AWS CloudTrail CreateNetworkAclEntry - AWS CloudTrail ReplaceNetworkAclEntry -search: "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry - requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 +search: "`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' - | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) - as lastTime by userName user_arn userIdentity.principalId eventName requestParameters.ruleAction - requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to - requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`" + | where port_range>1024] + | fillnull + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from requestParameters.cidrBlock + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`" how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs. @@ -34,12 +33,12 @@ known_false_positives: It's possible that an admin has created this ACL with all in production environment. references: [] drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -48,10 +47,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has created network ACLs with all the ports open to a specified + message: User $user$ has created network ACLs with all the ports open to a specified CIDR $requestParameters.cidrBlock$ risk_objects: - - field: user_arn + - field: user type: user score: 48 threat_objects: diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index fe044edec0..1f7c98e312 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -1,6 +1,6 @@ name: AWS Network Access Control List Deleted id: ada0f478-84a8-4641-a3f1-d82362d6fd75 -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Patrick Bareiss, Splunk status: production @@ -15,9 +15,11 @@ description: The following analytic detects the deletion of AWS Network Access C data_source: - AWS CloudTrail DeleteNetworkAclEntry search: '`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false - | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by user_arn - userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)`| - `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`' + | fillnull + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`' how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. @@ -25,12 +27,12 @@ known_false_positives: It's possible that a user has legitimately deleted a netw ACL. references: [] drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -39,10 +41,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ from $src$ has sucessfully deleted network ACLs entry (eventName= + message: User $user$ from $src$ has sucessfully deleted network ACLs entry (eventName= $eventName$), such that the instance is accessible from anywhere risk_objects: - - field: user_arn + - field: user type: user score: 5 threat_objects: diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 50a9b9bc57..9023487963 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -1,6 +1,6 @@ name: AWS New MFA Method Registered For User id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -14,10 +14,11 @@ description: The following analytic detects the registration of a new Multi-Fact potentially leading to further unauthorized activities and data breaches. data_source: - AWS CloudTrail CreateVirtualMFADevice -search: '`cloudtrail` eventName=CreateVirtualMFADevice | stats count values(requestParameters.virtualMFADeviceName) - as virtualMFADeviceName min(_time) as firstTime max(_time) as lastTime by eventSource - aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn - src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` +search: '`cloudtrail` eventName=CreateVirtualMFADevice + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region, requestParameters.virtualMFADeviceName as virtualMFADeviceName + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product virtualMFADeviceName + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_new_mfa_method_registered_for_user_filter`' how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail logs. @@ -29,12 +30,12 @@ references: - https://attack.mitre.org/techniques/T1556/006/ - https://twitter.com/jhencinski/status/1618660062352007174 drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,13 +44,13 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ + message: A new virtual device $virtualMFADeviceName$ is added to user $user$ risk_objects: - - field: user_arn + - field: user type: user score: 64 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index a9c930cfca..441a3eeec2 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -1,6 +1,6 @@ name: AWS Password Policy Changes id: aee4a575-7064-4e60-b511-246f9baf9895 -version: 4 +version: 5 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -17,11 +17,11 @@ data_source: - AWS CloudTrail UpdateAccountPasswordPolicy - AWS CloudTrail GetAccountPasswordPolicy - AWS CloudTrail DeleteAccountPasswordPolicy -search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") - errorCode=success | stats count values(eventName) as eventName values(userAgent) - min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode awsRegion - userIdentity.principalId user_arn src_ip | `security_content_ctime(firstTime)` | - `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`' +search: '`cloudtrail` eventName IN ("UpdateAccountPasswordPolicy","GetAccountPasswordPolicy","DeleteAccountPasswordPolicy") errorCode=success + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_password_policy_changes_filter`' how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives, it is possible diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index c92114d370..51e9b3ea04 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -1,6 +1,6 @@ name: AWS SAML Update identity provider id: 2f0604c6-6030-11eb-ae93-0242ac130002 -version: 5 +version: 7 date: '2024-11-14' author: Rod Soto, Splunk status: production @@ -15,10 +15,11 @@ description: The following analytic detects updates to the SAML provider in AWS. data. data_source: - AWS CloudTrail UpdateSAMLProvider -search: '`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime - max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn - userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId - userIdentity.principalId | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` +search: '`cloudtrail` eventName=UpdateSAMLProvider + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. @@ -30,12 +31,12 @@ references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf - https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps drilldown_searches: -- name: View the detection results for - "$userIdentity.principalId$" - search: '%original_detection_search% | search userIdentity.principalId = "$userIdentity.principalId$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$userIdentity.principalId$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$userIdentity.principalId$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -44,14 +45,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $userIdentity.principalId$ from IP address $sourceIPAddress$ has trigged + message: User $user$ from IP address $src$ has trigged an event $eventName$ to update the SAML provider to $requestParameters.sAMLProviderArn$ risk_objects: - - field: userIdentity.principalId + - field: user type: user score: 64 threat_objects: - - field: sourceIPAddress + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index a1fef13c96..5d775a0401 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -1,6 +1,6 @@ name: AWS SetDefaultPolicyVersion id: 2a9b80d3-6340-4345-11ad-212bf3d0dac4 -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -15,10 +15,10 @@ description: The following analytic detects when a user sets a default policy ve data_source: - AWS CloudTrail SetDefaultPolicyVersion search: '`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com - | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) - as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id - errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`' + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`' how_to_implement: You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives: While this search has no known false positives, it is possible @@ -29,12 +29,12 @@ references: - https://bishopfox.com/blog/privilege-escalation-in-aws - https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -43,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: From IP address $src$, user $user_arn$ has trigged an event $eventName$ + message: From IP address $src$, user $user$ has trigged an action $action$ for updating the the default policy version risk_objects: - - field: user_arn + - field: user type: user score: 30 threat_objects: diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index 558280bf33..c159754c61 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -1,6 +1,6 @@ name: AWS Successful Console Authentication From Multiple IPs id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb -version: 6 +version: 7 date: '2024-11-14' author: Bhavin Patel, Splunk status: production @@ -14,9 +14,13 @@ description: The following analytic detects an AWS account successfully authenti resources, leading to data breaches or further exploitation within the AWS environment. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName = ConsoleLogin | bin span=5m _time | stats values(userAgent) - as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) - as distinct_ip_count by _time user_arn | where distinct_ip_count>1 | `aws_successful_console_authentication_from_multiple_ips_filter`' +search: '`cloudtrail` eventName = ConsoleLogin + | bin span=5m _time + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats dc(src) as distinct_ip_count values(src) as src values(user_agent) as user_agent by _time, user, action, dest, vendor_account, vendor_region, vendor_product + | where distinct_ip_count>1 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_console_authentication_from_multiple_ips_filter`' how_to_implement: You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. known_false_positives: A user with successful authentication events from different @@ -25,12 +29,12 @@ known_false_positives: A user with successful authentication events from differe references: - https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/ drilldown_searches: -- name: View the detection results for - "$user_arn$" - search: '%original_detection_search% | search user_arn = "$user_arn$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_arn$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_arn$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -39,14 +43,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_arn$ has successfully logged into the AWS Console from different - IP addresses $src_ip$ within 5 mins + message: User $user$ has successfully logged into the AWS Console from different + IP addresses $src$ within 5 mins risk_objects: - - field: user_arn + - field: user type: user score: 72 threat_objects: - - field: src_ip + - field: src type: ip_address tags: analytic_story: diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index 86f0eff62a..9f326936db 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -1,6 +1,6 @@ name: AWS Successful Single-Factor Authentication id: a520b1fe-cc9e-4f56-b762-18354594c52f -version: 5 +version: 6 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -15,9 +15,10 @@ description: The following analytic identifies a successful Console Login authen data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No - | stats count min(_time) as firstTime max(_time) as lastTime by src eventName eventSource - aws_account_id errorCode additionalEventData.MFAUsed userAgent eventID awsRegion - user_name userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` + | rename eventName as action, eventSource as dest, userName as user, userAgent as user_agent, sourceIPAddress as src, userIdentity.accountId as vendor_account, awsRegion as vendor_region + | eval vendor_product = "AWS" + | stats count min(_time) as firstTime max(_time) as lastTime by action dest user user_agent src vendor_account vendor_region vendor_product + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_single_factor_authentication_filter`' how_to_implement: The Splunk AWS Add-on is required to utilize this data. The search requires AWS CloudTrail logs. @@ -28,12 +29,12 @@ references: - https://attack.mitre.org/techniques/T1078/004/ - https://aws.amazon.com/what-is/mfa/ drilldown_searches: -- name: View the detection results for - "$user_name$" - search: '%original_detection_search% | search user_name = "$user_name$"' +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user_name$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) @@ -42,10 +43,10 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: User $user_name$ has successfully logged into an AWS Console without Multi-Factor + message: User $user$ has successfully logged into an AWS Console without Multi-Factor Authentication from $src$ risk_objects: - - field: user_name + - field: user type: user score: 64 threat_objects: diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index 1ba8b2c8a4..81255cca76 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -1,6 +1,6 @@ name: AWS Unusual Number of Failed Authentications From Ip id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386 -version: 6 +version: 7 date: '2025-02-10' author: Bhavin Patel, Splunk status: production @@ -14,11 +14,14 @@ description: The following analytic identifies a single source IP failing to aut unauthorized access, data breaches, or further exploitation within the AWS environment. data_source: - AWS CloudTrail ConsoleLogin -search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time - | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, - src_ip | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) - as ip_std by _time | eval upperBound=(avg_attempts+ip_std*3) | eval isOutlier=if(distinct_attempts - > 10 and distinct_attempts >= upperBound, 1, 0) | where isOutlier = 1 |`aws_unusual_number_of_failed_authentications_from_ip_filter`' +search: '`cloudtrail` eventName=ConsoleLogin action=failure + | bucket span=10m _time + | stats dc(_raw) AS distinct_attempts values(user_name) as tried_accounts by _time, src_ip + | eventstats avg(distinct_attempts) as avg_attempts , stdev(distinct_attempts) as ip_std by _time + | eval upperBound=(avg_attempts+ip_std*3) + | eval isOutlier=if(distinct_attempts > 10 and distinct_attempts >= upperBound, 1, 0) + | where isOutlier = 1 + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_unusual_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and the calculation of the upperBound field to tune this search according to their environment diff --git a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml similarity index 99% rename from detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml rename to detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml index 709d1872fe..5d882ef853 100644 --- a/detections/cloud/aws_cross_account_activity_from_previously_unseen_account.yml +++ b/detections/deprecated/aws_cross_account_activity_from_previously_unseen_account.yml @@ -1,9 +1,9 @@ name: AWS Cross Account Activity From Previously Unseen Account id: 21193641-cb96-4a2c-a707-d9b9a7f7792b -version: 4 +version: 5 date: '2024-11-14' author: Rico Valdez, Splunk -status: experimental +status: deprecated type: Anomaly description: The following analytic identifies AssumeRole events where an IAM role in a different AWS account is accessed for the first time. It detects this activity diff --git a/detections/cloud/aws_detect_attach_to_role_policy.yml b/detections/deprecated/aws_detect_attach_to_role_policy.yml similarity index 98% rename from detections/cloud/aws_detect_attach_to_role_policy.yml rename to detections/deprecated/aws_detect_attach_to_role_policy.yml index b3b55c8829..ddde29333c 100644 --- a/detections/cloud/aws_detect_attach_to_role_policy.yml +++ b/detections/deprecated/aws_detect_attach_to_role_policy.yml @@ -1,9 +1,9 @@ name: aws detect attach to role policy id: 88fc31dd-f331-448c-9856-d3d51dd5d3a1 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic identifies a user attaching a policy to a different role's trust policy in AWS. It leverages CloudWatch logs to detect the `attach policy` diff --git a/detections/cloud/aws_detect_permanent_key_creation.yml b/detections/deprecated/aws_detect_permanent_key_creation.yml similarity index 97% rename from detections/cloud/aws_detect_permanent_key_creation.yml rename to detections/deprecated/aws_detect_permanent_key_creation.yml index 49c164d0b4..5f6070e970 100644 --- a/detections/cloud/aws_detect_permanent_key_creation.yml +++ b/detections/deprecated/aws_detect_permanent_key_creation.yml @@ -1,9 +1,9 @@ name: aws detect permanent key creation id: 12d6d713-3cb4-4ffc-a064-1dca3d1cca01 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic detects the creation of permanent access keys in AWS accounts. It leverages CloudWatch logs to identify events where the `CreateAccessKey` diff --git a/detections/cloud/aws_detect_role_creation.yml b/detections/deprecated/aws_detect_role_creation.yml similarity index 98% rename from detections/cloud/aws_detect_role_creation.yml rename to detections/deprecated/aws_detect_role_creation.yml index 068b428177..b60812c49c 100644 --- a/detections/cloud/aws_detect_role_creation.yml +++ b/detections/deprecated/aws_detect_role_creation.yml @@ -1,9 +1,9 @@ name: aws detect role creation id: 5f04081e-ddee-4353-afe4-504f288de9ad -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic identifies the creation of new IAM roles by users in AWS. It leverages CloudWatch logs to detect events where the `CreateRole` action diff --git a/detections/cloud/aws_detect_sts_assume_role_abuse.yml b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml similarity index 98% rename from detections/cloud/aws_detect_sts_assume_role_abuse.yml rename to detections/deprecated/aws_detect_sts_assume_role_abuse.yml index 4a67dd42fc..e83636a56d 100644 --- a/detections/cloud/aws_detect_sts_assume_role_abuse.yml +++ b/detections/deprecated/aws_detect_sts_assume_role_abuse.yml @@ -1,9 +1,9 @@ name: aws detect sts assume role abuse id: 8e565314-b6a2-46d8-9f05-1a34a176a662 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic identifies suspicious use of the AWS STS AssumeRole action. It leverages AWS CloudTrail logs to detect instances where roles are assumed, diff --git a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml similarity index 98% rename from detections/cloud/aws_detect_sts_get_session_token_abuse.yml rename to detections/deprecated/aws_detect_sts_get_session_token_abuse.yml index 0ff88c17b8..80ed8b1698 100644 --- a/detections/cloud/aws_detect_sts_get_session_token_abuse.yml +++ b/detections/deprecated/aws_detect_sts_get_session_token_abuse.yml @@ -1,9 +1,9 @@ name: aws detect sts get session token abuse id: 85d7b35f-b8b5-4b01-916f-29b81e7a0551 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk -status: experimental +status: deprecated type: Hunting description: The following analytic identifies the suspicious use of the AWS STS GetSessionToken API call. It leverages CloudWatch logs to detect instances where this API is invoked, diff --git a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml b/detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml similarity index 99% rename from detections/cloud/aws_saml_access_by_provider_user_and_principal.yml rename to detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml index 15f1a67871..4c3681065e 100644 --- a/detections/cloud/aws_saml_access_by_provider_user_and_principal.yml +++ b/detections/deprecated/aws_saml_access_by_provider_user_and_principal.yml @@ -1,9 +1,9 @@ name: AWS SAML Access by Provider User and Principal id: bbe23980-6019-11eb-ae93-0242ac130002 -version: 4 +version: 5 date: '2024-11-14' author: Rod Soto, Splunk -status: production +status: deprecated type: Anomaly description: The following analytic identifies specific SAML access events by a service provider, user, and targeted principal within AWS. It leverages AWS CloudTrail logs