Skip to content

Update credential_theft_cloud_storage_impersonation.yml #3740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JFarina5 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Update credential_theft_cloud_storage_impersonation.yml #3740

JFarina5 wants to merge 2 commits into from
+2 −5

Conversation

@JFarina5
Copy link
Member

@JFarina5 JFarina5 commented Jan 6, 2026
edited
Loading

Description

Added coverage for a FN, checking for things such as 'account/cloud suspended/at risk', also added check for auth failures and negated legit security trainings (noticed a few FPs in hunt results initially).

Associated samples

Associated hunts

Hunts showed no benign hits for both the 14 and 30 day hunts.

@JFarina5 JFarina5 requested a review from a team as a code owner January 6, 2026 19:12
@github-actions github-actions bot added the in-test-rules PR is in our testing suite to collect telemetry label Jan 6, 2026
github-actions bot added a commit that referenced this pull request Jan 6, 2026
@github-actions
[PR #3740] added rule: Cloud storage impersonation with credential th…
d9f16bf 
…eft indicators
@JFarina5
Copy link
Member Author

JFarina5 commented Jan 7, 2026

Mode results look good, flagging on one benign message that the rule doesn't actually fire on. Not really sure why its showing in Mode.

@JFarina5 JFarina5 added the review-needed Indicates that a PR is waiting for review label Jan 7, 2026
zoomequipd
zoomequipd requested changes Jan 8, 2026
View reviewed changes
@JFarina5 JFarina5 removed the review-needed Indicates that a PR is waiting for review label Jan 8, 2026
github-actions bot added a commit that referenced this pull request Jan 8, 2026
@github-actions
[PR #3740] modified rule: Cloud storage impersonation with credential…
ee7bfac 
… theft indicators
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JFarina5 @zoomequipd