From 17515a1c32d44d095d75d5893a4d105f80473209 Mon Sep 17 00:00:00 2001 From: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> Date: Tue, 4 Mar 2025 10:04:33 -0700 Subject: [PATCH] Enhanced Microsoft Exchange External Forwarding Detection (#1529) Co-authored-by: Panther Bot --- global_helpers/panther_msft_helpers.py | 36 +++ indexes/alpha-index.md | 4 +- indexes/aws.md | 2 + indexes/detection-coverage.json | 2 +- .../microsoft_exchange_external_forwarding.py | 92 +++++-- ...microsoft_exchange_external_forwarding.yml | 246 ++++++++++++------ 6 files changed, 277 insertions(+), 105 deletions(-) diff --git a/global_helpers/panther_msft_helpers.py b/global_helpers/panther_msft_helpers.py index ba41f2d04..b073491e4 100644 --- a/global_helpers/panther_msft_helpers.py +++ b/global_helpers/panther_msft_helpers.py @@ -57,3 +57,39 @@ def get_target_name(event, target_type="User"): def azure_success(event): result = event.deep_get("properties", "result", default="") return result == "success" + + +def is_external_address(address, primary_domain, onmicrosoft_domain): + """Check if an email address is external to the organization. + + Args: + address (str): The email address or SMTP address to check + primary_domain (str): The organization's primary domain (e.g. contoso.com) + onmicrosoft_domain (str): The tenant domain (e.g. contoso.onmicrosoft.com) + + Returns: + bool: True if the address is external, False if internal + """ + if not address or (not primary_domain and not onmicrosoft_domain): + return True + + # Clean up and normalize the address + address = address.lower() + if address.startswith("smtp:"): + address = address[5:] + + # Check each address (might be multiple addresses separated by semicolon) + for addr in address.split(";"): + try: + domain = addr.strip().split("@")[1].lower() + # Skip if internal (matches onmicrosoft domain or primary domain/subdomain) + if (onmicrosoft_domain and domain == onmicrosoft_domain.lower()) or ( + primary_domain + and (domain == primary_domain or domain.endswith("." + primary_domain)) + ): + continue + return True + except (IndexError, AttributeError): + return True + + return False diff --git a/indexes/alpha-index.md b/indexes/alpha-index.md index 0fa4f598d..8fd7e3fa3 100644 --- a/indexes/alpha-index.md +++ b/indexes/alpha-index.md @@ -449,6 +449,8 @@ ## AWS GuardDuty +- [AWS GuardDuty Critical Severity Finding](../rules/aws_guardduty_rules/aws_guardduty_critical_sev_findings.yml) + - A critical-severity GuardDuty finding has been identified. - [AWS GuardDuty Enabled](../policies/aws_guardduty_policies/aws_guardduty_enabled.yml) - GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. - [AWS GuardDuty High Severity Finding](../rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.yml) @@ -1273,7 +1275,7 @@ ## Microsoft365 - [Microsoft Exchange External Forwarding](../rules/microsoft_rules/microsoft_exchange_external_forwarding.yml) - - Detects creation of forwarding rule to external domains + - Detects when a user creates email forwarding rules to external organizations in Microsoft Exchange Online. This can indicate data exfiltration attempts, where an attacker sets up forwarding to collect emails outside the organization. The rule detects both mailbox forwarding (Set-Mailbox) and inbox rules (New-InboxRule).The detection includes: 1. External organization forwarding based on domain comparison 2. Suspicious forwarding patterns like: - Forwarding without keeping a copy - Deleting messages after forwarding - Stopping rule processing after forwarding3. Multiple forwarding destinations 4. Various forwarding methods (SMTP, redirect, forward as attachment) - [Microsoft365 Brute Force Login by User](../rules/microsoft_rules/microsoft365_brute_force_login_by_user.yml) - A Microsoft365 user was denied login access several times - [Microsoft365 External Document Sharing](../rules/microsoft_rules/microsoft365_external_sharing.yml) diff --git a/indexes/aws.md b/indexes/aws.md index b52a18ae2..9e6fb6271 100644 --- a/indexes/aws.md +++ b/indexes/aws.md @@ -403,6 +403,8 @@ ## AWS GuardDuty +- [AWS GuardDuty Critical Severity Finding](../rules/aws_guardduty_rules/aws_guardduty_critical_sev_findings.yml) + - A critical-severity GuardDuty finding has been identified. - [AWS GuardDuty Enabled](../policies/aws_guardduty_policies/aws_guardduty_enabled.yml) - GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. - [AWS GuardDuty High Severity Finding](../rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.yml) diff --git a/indexes/detection-coverage.json b/indexes/detection-coverage.json index 20bdd291a..58db513d1 100644 --- a/indexes/detection-coverage.json +++ b/indexes/detection-coverage.json @@ -1 +1 @@ -[{"AnalysisType": "Scheduled Rule", "Description": "Detects 1Password Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor.", "DisplayName": "1Password Login From CrowdStrike Unmanaged Device", "LogTypes": ["Crowdstrike.AIDMaster", "OnePassword.SignInAttempt"], "YAMLPath": "queries/crowdstrike_queries/onepassword_login_from_crowdstrike_unmanaged_device.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Looks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List.", "DisplayName": "1Password Login From CrowdStrike Unmanaged Device Query", "LogTypes": ["Crowdstrike.AIDMaster", "OnePassword.SignInAttempt"], "YAMLPath": "queries/crowdstrike_queries/onepass_login_from_crowdstrike_unmanaged_device_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Looks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List. (crowdstrike_fdrevent table)", "DisplayName": "1Password Login From CrowdStrike Unmanaged Device Query (crowdstrike_fdrevent table)", "LogTypes": ["Crowdstrike.FDREvent", "OnePassword.SignInAttempt"], "YAMLPath": "queries/onepassword_queries/onepass_login_from_crowdstrike_unmanaged_device_FDREvent.yml"}, {"AnalysisType": "Rule", "Description": "Detects vulnerable versions of XZ and liblzma on Linux and MacOS using Osquery logs. Versions 5.6.0 and 5.6.1 of xz and liblzma are most likely vulnerable to backdoor exploit. Vuln management pack must be enabled: https://github.com/osquery/osquery/blob/master/packs/vuln-management.conf", "DisplayName": "A backdoored version of XZ or liblzma is vulnerable to CVE-2024-3094", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_linux_mac_vulnerable_xz_liblzma.yml"}, {"AnalysisType": "Rule", "Description": "A CloudTrail Trail was created, updated, or enabled.", "DisplayName": "A CloudTrail Was Created or Updated", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_created.yml"}, {"AnalysisType": "Rule", "Description": "A system has been logged into from a non approved IP space.", "DisplayName": "A Login from Outside the Corporate Office", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_linux_logins_non_office.yml"}, {"AnalysisType": "Rule", "Description": "An unusually long-lived Teleport certificate was created", "DisplayName": "A long-lived cert was created", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_long_lived_certs.yml"}, {"AnalysisType": "Rule", "Description": "A SAML connector was created or modified", "DisplayName": "A SAML Connector was created or modified", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_saml_created.yml"}, {"AnalysisType": "Rule", "Description": "A Teleport Lock was created", "DisplayName": "A Teleport Lock was created", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_lock_created.yml"}, {"AnalysisType": "Rule", "Description": "A Teleport Role was modified or created", "DisplayName": "A Teleport Role was modified or created", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_role_created.yml"}, {"AnalysisType": "Rule", "Description": "A user authenticated with SAML, but from an unknown company domain", "DisplayName": "A user authenticated with SAML, but from an unknown company domain", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.yml"}, {"AnalysisType": "Rule", "Description": "A User from the company domain(s) Logged in without SAML", "DisplayName": "A User from the company domain(s) Logged in without SAML", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.yml"}, {"AnalysisType": "Rule", "Description": "A Panther user role has been created that contains admin level permissions.", "DisplayName": "A User Role with Sensitive Permissions has been Created", "LogTypes": ["Panther.Audit"], "YAMLPath": "rules/panther_audit_rules/panther_sensitive_role_created.yml"}, {"AnalysisType": "Rule", "Description": "A Panther user's role has been modified. This could mean password, email, or role has changed for the user.", "DisplayName": "A User's Panther Account was Modified", "LogTypes": ["Panther.Audit"], "YAMLPath": "rules/panther_audit_rules/panther_user_modified.yml"}, {"AnalysisType": "Rule", "Description": "An account wide security configuration was changed.", "DisplayName": "Account Security Configuration Changed", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_security_configuration_change.yml"}, {"AnalysisType": "Rule", "Description": "An action was performed by Netskope personnel.", "DisplayName": "Action Performed by Netskope Personnel", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_personnel_action.yml"}, {"AnalysisType": "Rule", "Description": "An admin was logged out because of successive login failures.", "DisplayName": "Admin logged out because of successive login failures", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_admin_logged_out.yml"}, {"AnalysisType": "Rule", "Description": "Assigning an admin role manually could be a sign of privilege escalation", "DisplayName": "Admin Role Assigned", "LogTypes": ["Asana.Audit", "Atlassian.Audit", "GCP.AuditLog", "GSuite.Reports", "GitHub.Audit", "OneLogin.Events", "Zendesk.Audit"], "YAMLPath": "rules/standard_rules/admin_assigned.yml"}, {"AnalysisType": "Rule", "Description": "An Amazon Machine Image (AMI) was modified to allow it to be launched by anyone. Any sensitive configuration or application data stored in the AMI's block devices is at risk.", "DisplayName": "Amazon Machine Image (AMI) Modified to Allow Public Access", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml"}, {"AnalysisType": "Rule", "Description": "An administrator account was created, deleted, or modified.", "DisplayName": "An administrator account was created, deleted, or modified.", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_admin_user_change.yml"}, {"AnalysisType": "Scheduled Query", "Description": "ARNs with a high Access Denied error rate could indicate an error or compromised credentials attempting to perform reconnaissance.", "DisplayName": "Anomalous AccessDenied Requests", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/anomalous_access_denied_query.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AppOmni Alert Passthrough", "LogTypes": ["AppOmni.Alerts"], "YAMLPath": "rules/appomni_rules/appomni_alert_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "An Asana service account was created by someone in your organization.", "DisplayName": "Asana Service Account Created", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_service_account_created.yml"}, {"AnalysisType": "Rule", "Description": "An Asana team's privacy setting was changed to public to the organization (not public to internet)", "DisplayName": "Asana Team Privacy Public", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_team_privacy_public.yml"}, {"AnalysisType": "Rule", "Description": "An Asana workspace's default session duration (how often users need to re-authenticate) has been changed to never.", "DisplayName": "Asana Workspace Default Session Duration Never", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_default_session_duration_never.yml"}, {"AnalysisType": "Rule", "Description": "A new email domain has been added to an Asana workspace. Reviewer should validate that the new domain is a part of the organization.", "DisplayName": "Asana Workspace Email Domain Added", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_email_domain_added.yml"}, {"AnalysisType": "Rule", "Description": "An Asana Workspace Form Link is a unique URL that allows you to create a task directly within a specific Workspace or Project in Asana, using a web form. Disabling authentication requirements may allow unauthorized users to create tasks.", "DisplayName": "Asana Workspace Form Link Auth Requirement Disabled", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_form_link_auth_requirement_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Typically inviting guests to Asana is permitted by few users. Enabling anyone to invite guests can potentially lead to unauthorized users gaining access to Asana.", "DisplayName": "Asana Workspace Guest Invite Permissions Anyone", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.yml"}, {"AnalysisType": "Rule", "Description": "Admin role was granted to the user who previously did not have admin permissions", "DisplayName": "Asana Workspace New Admin", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_new_admin.yml"}, {"AnalysisType": "Rule", "Description": "An Asana user started an org export.", "DisplayName": "Asana Workspace Org Export", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_org_export.yml"}, {"AnalysisType": "Rule", "Description": "An asana user made your organization's password requirements less strict.", "DisplayName": "Asana Workspace Password Requirements Simple", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_password_requirements_simple.yml"}, {"AnalysisType": "Rule", "Description": "An Asana user turned off app approval requirements for an application type for your organization.", "DisplayName": "Asana Workspace Require App Approvals Disabled", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_require_app_approvals_disabled.yml"}, {"AnalysisType": "Rule", "Description": "An Asana user made SAML optional for your organization.", "DisplayName": "Asana Workspace SAML Optional", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_saml_optional.yml"}, {"AnalysisType": "Rule", "Description": "Reports when an Atlassian user logs in (impersonates) another user.", "DisplayName": "Atlassian admin impersonated another user", "LogTypes": ["Atlassian.Audit"], "YAMLPath": "rules/atlassian_rules/user_logged_in_as_user.yml"}, {"AnalysisType": "Rule", "Description": "Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events.", "DisplayName": "Auth0 CIC Credential Stuffing", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_cic_credential_stuffing.yml"}, {"AnalysisType": "Saved Query", "Description": "Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks", "DisplayName": "Auth0 CIC Credential Stuffing Query", "LogTypes": ["Auth0.Events"], "YAMLPath": "queries/auth0_queries/auth0_cic_credential_stuffing_query.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User created a role in your organization's tenant.", "DisplayName": "Auth0 Custom Role Created", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_custom_role_created.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 integration was installed from the auth0 action library.", "DisplayName": "Auth0 Integration Installed", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_integration_installed.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 user enabled an mfa factor in your organization's mfa settings.", "DisplayName": "Auth0 mfa factor enabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_factor_setting_enabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User disabled MFA for your organization's tenant.", "DisplayName": "Auth0 MFA Policy Disabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_policy_disabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User enabled MFA Policy for your organization's tenant.", "DisplayName": "Auth0 MFA Policy Enabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_policy_enabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User disabled the mfa risk assessment setting for your organization's tenant.", "DisplayName": "Auth0 MFA Risk Assessment Disabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_risk_assessment_disabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User enabled the mfa risk assessment setting for your organization's tenant.", "DisplayName": "Auth0 MFA Risk Assessment Enabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_risk_assessment_enabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User updated a post login action flow for your organization's tenant.", "DisplayName": "Auth0 Post Login Action Flow Updated", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_post_login_action_flow.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Auth0 User Invitation Created", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_user_invitation_created.yml"}, {"AnalysisType": "Rule", "Description": "User accepted invitation from Auth0 member to join an Auth0 tenant.", "DisplayName": "Auth0 User Joined Tenant", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_user_joined_tenant.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that AWS IAM account access keys are rotated every 90 days. Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.", "DisplayName": "AWS Access Key Rotation", "LogTypes": ["AWS.IAM.RootUser", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_access_key_rotation.yml"}, {"AnalysisType": "Rule", "Description": "A users static AWS API key was uploaded to a public github repo.", "DisplayName": "AWS Access Key Uploaded to Github", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_key_compromised.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that AWS IAM user accounts do not have access keys that were created during account creation. This results in excess keys being generated, and unnecessary management work in auditing and rotating these keys.", "DisplayName": "AWS Access Keys At Account Creation", "LogTypes": ["AWS.IAM.RootUser", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_access_keys_at_account_creation.yml"}, {"AnalysisType": "Policy", "Description": "When a certificate is 60 days away from expiration, ACM automatically attempts to renew it every hour.", "DisplayName": "AWS ACM Certificate Expiration", "LogTypes": ["AWS.ACM.Certificate"], "YAMLPath": "policies/aws_acm_policies/aws_acm_certificate_expiration.yml"}, {"AnalysisType": "Policy", "Description": "This policy checks if an ACM certificate renewal is pending or has failed and is in use by any other resources within the account.", "DisplayName": "AWS ACM Certificate Status", "LogTypes": ["AWS.ACM.Certificate"], "YAMLPath": "policies/aws_acm_policies/aws_acm_certificate_valid.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all ACM certificates are using secure key and signature algorithms.", "DisplayName": "AWS ACM Secure Algorithms", "LogTypes": ["AWS.ACM.Certificate"], "YAMLPath": "policies/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that AMIs you have created are not configured to allow public access, which could result in accidental data loss. AMI's that you use but do not own are not evaluated by this policy.", "DisplayName": "AWS AMI Sharing", "LogTypes": ["AWS.EC2.AMI"], "YAMLPath": "policies/aws_ec2_policies/aws_ami_private.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all application load balancers have an associated Web ACl to enforce protections against various web attacks.", "DisplayName": "AWS Application Load Balancer Web ACL", "LogTypes": ["AWS.ELBV2.ApplicationLoadBalancer"], "YAMLPath": "policies/aws_elb_policies/aws_application_load_balancer_web_acl.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List", "DisplayName": "AWS Authentication from CrowdStrike Unmanaged Device", "LogTypes": ["AWS.CloudTrail", "Crowdstrike.AIDMaster"], "YAMLPath": "queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_Query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List", "DisplayName": "AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)", "LogTypes": ["AWS.CloudTrail", "Crowdstrike.FDREvent"], "YAMLPath": "queries/aws_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_FDREvent.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Identifies when CreateRole and AttachAdminRolePolicy CloudTrail events occur in a short period of time. This sequence could indicate a potential security breach.", "DisplayName": "AWS Backdoor Administrative IAM Role Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_create_backdoor_admin_iam_role.yml"}, {"AnalysisType": "Rule", "Description": "An Amazon Bedrock Guardrail was updated or deleted. Amazon Bedrock Guardrails are used to implement application-specific safeguards based on your use cases and responsible AI policies. Updating or deleting a guardrail can have security implications to your AI workloads.", "DisplayName": "AWS Bedrock Guardrail Updated or Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_bedrock_guardrail_update_delete.yml"}, {"AnalysisType": "Rule", "Description": "An Amazon Bedrock Model Invocation Logging Configuration was deleted. Use model invocation logging to collect metadata, requests, and responses for all model invocations in your account. Deleting a model invocation logging configuration can have security implications to your AI workloads.", "DisplayName": "AWS Bedrock Model Invocation Logging Configuration Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_bedrock_deletemodelinvocationloggingconfiguration.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that all EC2 volumes that contain CDE are encrypted. Be sure to configure CDE definitions before enabling this policy.", "DisplayName": "AWS CDE EC2 Volume Encryption", "LogTypes": ["AWS.EC2.Volume"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_cde_volume_encrypted.yml"}, {"AnalysisType": "Policy", "Description": "A stack has drifted from its defined configuration.", "DisplayName": "AWS CloudFormation Stack Drift", "LogTypes": ["AWS.CloudFormation.Stack"], "YAMLPath": "policies/aws_cloudformation_policies/aws_cloudformation_stack_drifted.yml"}, {"AnalysisType": "Policy", "Description": "Associating IAM roles with CloudFormation stacks ensures least privilege when making changes to your account.", "DisplayName": "AWS CloudFormation Stack IAM Service Role", "LogTypes": ["AWS.CloudFormation.Stack"], "YAMLPath": "policies/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.yml"}, {"AnalysisType": "Policy", "Description": "Protects a CloudFormation stack from accidentally being deleted. If you attempt to delete a stack with termination protection enabled, the deletion fails and the stack, including its status, will remain unchanged.", "DisplayName": "AWS CloudFormation Stack Termination Protection", "LogTypes": ["AWS.CloudFormation.Stack"], "YAMLPath": "policies/aws_cloudformation_policies/aws_cloudformation_termination_protection.yml"}, {"AnalysisType": "Rule", "Description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.", "DisplayName": "AWS CloudTrail Account Discovery", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an actor attempts to remove an AWS account from an Organization. Security configurations are often defined at the organizational level. Leaving the organization can disrupt or totally shut down these controls.", "DisplayName": "AWS CloudTrail Attempt To Leave Org", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.yml"}, {"AnalysisType": "Policy", "Description": "CloudTrail supports sending data and management events to CloudWatch Logs. This setup can be used for real-time processing of all CloudTrail data events.", "DisplayName": "AWS CloudTrail CloudWatch Logs", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.yml"}, {"AnalysisType": "Policy", "Description": "Users with permissions to disable or reconfigure CloudTrail should be limited.", "DisplayName": "AWS CloudTrail Least Privilege Access", "LogTypes": ["AWS.IAM.Group"], "YAMLPath": "policies/aws_iam_policies/aws_cloudtrail_least_privilege.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that CloudTrail Logs are encrypted at rest with customer managed KMS key.", "DisplayName": "AWS CloudTrail Log Encryption", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that CloudTrail logs have file integrity validation enabled.", "DisplayName": "AWS CloudTrail Log Validation", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_log_validation.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that at least one CloudTrail has management (control plane) operations logged.", "DisplayName": "AWS CloudTrail Management Events Enabled", "LogTypes": ["AWS.CloudTrail.Meta"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_enabled.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for *AccountPasswordPolicy events in AWS CloudTrail logs. If these events occur in a short period of time from the same ARN, it could constitute Password Policy reconnaissance.", "DisplayName": "AWS CloudTrail Password Policy Discovery", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_password_policy_discovery.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an S3 bucket containing CloudTrail logs has been modified to delete data after a short period of time.", "DisplayName": "AWS CloudTrail Retention Lifecycle Too Short", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the bucket receiving CloudTrail Logs is configured with S3 Access Logging. This audits all creation, modification, or deletion to CloudTrail audit logs.", "DisplayName": "AWS CloudTrail S3 Bucket Access Logging", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that CloudTrail S3 buckets are not publicly accessible.", "DisplayName": "AWS CloudTrail S3 Bucket Public", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AWS CloudTrail SES Check Identity Verifications", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.yml"}, {"AnalysisType": "Rule", "Description": "Detect when someone checks how many emails can be delivered via SES", "DisplayName": "AWS CloudTrail SES Check Send Quota", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.yml"}, {"AnalysisType": "Rule", "Description": "Detect when a user inquires whether SES Sending is enabled.", "DisplayName": "AWS CloudTrail SES Check SES Sending Enabled", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.yml"}, {"AnalysisType": "Correlation Rule", "Description": "", "DisplayName": "AWS CloudTrail SES Enumeration", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_enumeration.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AWS CloudTrail SES List Identities", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.yml"}, {"AnalysisType": "Policy", "Description": "AWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data.", "DisplayName": "AWS CloudWatch Log Encryption", "LogTypes": ["AWS.CloudWatch.LogGroup"], "YAMLPath": "policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.yml"}, {"AnalysisType": "Policy", "Description": "By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a specific retention period.", "DisplayName": "AWS CloudWatch Logs Data Retention", "LogTypes": ["AWS.CloudWatch.LogGroup"], "YAMLPath": "policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.yml"}, {"AnalysisType": "Rule", "Description": "An AWS command was executed on a Linux instance", "DisplayName": "AWS command executed on the command line", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_linux_aws_commands.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an IAM user has the AWSCompromisedKeyQuarantineV2 policy attached to their account.", "DisplayName": "AWS Compromised IAM Key Quarantine", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_compromised_key_quarantine.yml"}, {"AnalysisType": "Policy", "Description": "You can have AWS Config record supported types of global resources, such as IAM users, groups, roles, and customer managed policies.", "DisplayName": "AWS Config Global Resources", "LogTypes": ["AWS.Config.Recorder.Meta"], "YAMLPath": "policies/aws_config_policies/aws_config_global_resources.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the config recorder is operational and capturing changes to your account without error.", "DisplayName": "AWS Config Recording Status", "LogTypes": ["AWS.Config.Recorder"], "YAMLPath": "policies/aws_config_policies/aws_config_recording_no_error.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensurers that you have a comprehensive configuration audit in place for all resource types in AWS.", "DisplayName": "AWS Config Records All Resource Types", "LogTypes": ["AWS.Config.Recorder"], "YAMLPath": "policies/aws_config_policies/aws_config_all_resource_types.yml"}, {"AnalysisType": "Rule", "Description": "An AWS Config Recorder or Delivery Channel was created", "DisplayName": "AWS Config Service Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_config_service_created.yml"}, {"AnalysisType": "Rule", "Description": "An AWS Config Recorder or Delivery Channel was disabled or deleted", "DisplayName": "AWS Config Service Disabled", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_config_service_disabled_deleted.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the config recorder is operational and capturing changes to your account.", "DisplayName": "AWS Config Status", "LogTypes": ["AWS.Config.Recorder"], "YAMLPath": "policies/aws_config_policies/aws_config_recording_enabled.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AWS Console Login", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_login.yml"}, {"AnalysisType": "Correlation Rule", "Description": "A user has logged into the AWS console without authenticating via Okta. This rule requires AWS SSO via Okta and both log sources configured.", "DisplayName": "AWS Console Sign-In NOT PRECEDED BY Okta Redirect", "LogTypes": ["AWS.CloudTrail", "Okta.SystemLog"], "YAMLPath": "correlation_rules/aws_console_sign-in_without_okta.yml"}, {"AnalysisType": "Rule", "Description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", "DisplayName": "AWS DNS Crypto Domain", "LogTypes": ["AWS.VPCDns", "OCSF.DnsActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml"}, {"AnalysisType": "Rule", "Description": "Detects when logs for a DNS Resolver have been removed.", "DisplayName": "AWS DNS Logs Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_dns_logs_deleted.yml"}, {"AnalysisType": "Policy", "Description": "DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic", "DisplayName": "AWS DynamoDB Table Autoscaling", "LogTypes": ["AWS.DynamoDB.Table"], "YAMLPath": "policies/aws_dynamodb_policies/aws_dynamodb_autoscaling.yml"}, {"AnalysisType": "Policy", "Description": "DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic", "DisplayName": "AWS DynamoDB Table Autoscaling Configuration", "LogTypes": ["AWS.DynamoDB.Table"], "YAMLPath": "policies/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all DynamoDB tables have a TTL field configured.", "DisplayName": "AWS DynamoDB Table TTL", "LogTypes": ["AWS.DynamoDB.Table"], "YAMLPath": "policies/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.yml"}, {"AnalysisType": "Policy", "Description": "Checks that AWS EC2 AMI's are only launched on approved dedicated hosts.", "DisplayName": "AWS EC2 AMI Approved Host", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_ami_approved_host.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the EC2 instance is running with an instance type approved for its AMI.", "DisplayName": "AWS EC2 AMI Approved Instance Type", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_ami_approved_instance_type.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the EC2 instance was launched with a tenancy approved for its AMI.", "DisplayName": "AWS EC2 AMI Approved Tenancy", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_ami_approved_tenancy.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Multiple different discovery commands were executed by the same EC2 instance.", "DisplayName": "AWS EC2 Discovery Commands Executed", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/ec2_discovery_commands_query.yml"}, {"AnalysisType": "Rule", "Description": "An entity has accessed the user data scripts of multiple EC2 instances.", "DisplayName": "AWS EC2 Download Instance User Data", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_download_instance_user_data.yml"}, {"AnalysisType": "Rule", "Description": "Identifies disabling of default EBS encryption. Disabling default encryption does not change the encryption status of existing volumes.", "DisplayName": "AWS EC2 EBS Encryption Disabled", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_ebs_encryption_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Checks CloudTrail for occurrences of EC2 Image Actions.", "DisplayName": "AWS EC2 Image Monitoring", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_monitoring.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures the given EC2 instance is running an AMI from the approved list of AMI's.", "DisplayName": "AWS EC2 Instance Approved AMI", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_ami.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures the given EC2 Instance is running on an approved dedicated host.", "DisplayName": "AWS EC2 Instance Approved Host", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_host.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the EC2 instance is running on one of the approved instance types.", "DisplayName": "AWS EC2 Instance Approved Instance Type", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_instance_type.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures the given EC2 Instance is running with an approved tenancy option. The possible tenancy options are dedicated, host, and default.", "DisplayName": "AWS EC2 Instance Approved Tenancy", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_tenancy.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the given EC2 Instance is running in an approved VPC.", "DisplayName": "AWS EC2 Instance Approved VPC", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_vpc.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the AWS Instance has Detailed Monitoring Enabled", "DisplayName": "AWS EC2 Instance Detailed Monitoring", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures EBS optimization is enabled for the given EC2 instance, if applicable.", "DisplayName": "AWS EC2 Instance EBS Optimization", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_ebs_optimization.yml"}, {"AnalysisType": "Rule", "Description": "Detect when an actor deploys an EC2 instance with an unusual profile based on your business needs.", "DisplayName": "AWS EC2 Launch Unusual EC2 Instances", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_launch_unusual_ec2_instances.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS.", "DisplayName": "AWS EC2 Manual Security Group Change", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml"}, {"AnalysisType": "Rule", "Description": "An actor in AWS has made many attempts to retrieve EC2 passwords. It is typically not necessary to retrieve EC2 passwords more than a few times an hour.", "DisplayName": "AWS EC2 Many Password Read Attempts", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_many_passwors_read_attempts.yml"}, {"AnalysisType": "Rule", "Description": "Detect when an attacker pushes an SSH public key to multiple EC2 instances.", "DisplayName": "AWS EC2 Multi Instance Connect", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_multi_instance_connect.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", "DisplayName": "AWS EC2 Startup Script Change", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_startup_script_change.yml"}, {"AnalysisType": "Rule", "Description": "This rule captures multiple traffic mirroring events in AWS Cloudtrail.", "DisplayName": "AWS EC2 Traffic Mirroring", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_traffic_mirroring.yml"}, {"AnalysisType": "Policy", "Description": "You can encrypt both the boot and data volumes of an EC2 instance.", "DisplayName": "AWS EC2 Volume Encryption", "LogTypes": ["AWS.EC2.Volume"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_volume_encryption.yml"}, {"AnalysisType": "Policy", "Description": "You can encrypt the snapshot of an EC2 volume to protect against accidental data loss", "DisplayName": "AWS EC2 Volume Snapshot Encryption", "LogTypes": ["AWS.EC2.Volume"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.yml"}, {"AnalysisType": "Rule", "Description": "Detecting EC2 instances launched with AMIs containing potentially vulnerable versions of XZ (CVE-2024-3094)", "DisplayName": "AWS EC2 Vulnerable XZ Image Launched", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_vulnerable_xz_image_launched.yml"}, {"AnalysisType": "Rule", "Description": "An ECR event occurred outside of an expected account or region", "DisplayName": "AWS ECR Events", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ecr_events.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that deprecated TLS versions are not supported in internet-facing load balancers", "DisplayName": "AWS ELB SSL Policies", "LogTypes": ["AWS.ELBV2.ApplicationLoadBalancer"], "YAMLPath": "policies/aws_load_balancer_policies/aws_alb_ssl_policy.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that ELBV2 load balancer listeners are using an SSL policy.", "DisplayName": "AWS Enforces SSL Policies", "LogTypes": ["AWS.ELBV2.ApplicationLoadBalancer"], "YAMLPath": "policies/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.yml"}, {"AnalysisType": "Policy", "Description": "GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.", "DisplayName": "AWS GuardDuty Enabled", "LogTypes": ["AWS.GuardDuty.Detector.Meta"], "YAMLPath": "policies/aws_guardduty_policies/aws_guardduty_enabled.yml"}, {"AnalysisType": "Rule", "Description": "A high-severity GuardDuty finding has been identified.", "DisplayName": "AWS GuardDuty High Severity Finding", "LogTypes": ["AWS.GuardDuty"], "YAMLPath": "rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.yml"}, {"AnalysisType": "Rule", "Description": "A low-severity GuardDuty finding has been identified.", "DisplayName": "AWS GuardDuty Low Severity Finding", "LogTypes": ["AWS.GuardDuty"], "YAMLPath": "rules/aws_guardduty_rules/aws_guardduty_low_sev_findings.yml"}, {"AnalysisType": "Policy", "Description": "Ensure that all GuardDuty logs are sending into a single Master account. This is a best practice for centralizing detection logic and useful data during an investigation.", "DisplayName": "AWS GuardDuty Master Account", "LogTypes": ["AWS.GuardDuty.Detector"], "YAMLPath": "policies/aws_guardduty_policies/aws_guardduty_master_account.yml"}, {"AnalysisType": "Rule", "Description": "A medium-severity GuardDuty finding has been identified.", "DisplayName": "AWS GuardDuty Medium Severity Finding", "LogTypes": ["AWS.GuardDuty"], "YAMLPath": "rules/aws_guardduty_rules/aws_guardduty_med_sev_findings.yml"}, {"AnalysisType": "Rule", "Description": "This rule captures multiple read/list events related to IAM group management in AWS Cloudtrail.", "DisplayName": "AWS IAM Group Read Only Events", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_group_read_only_events.yml"}, {"AnalysisType": "Policy", "Description": "This Policy ensures that all IAM groups have at least one IAM user. If they are vacant, they should be deleted.", "DisplayName": "AWS IAM Group Users", "LogTypes": ["AWS.IAM.Group"], "YAMLPath": "policies/aws_iam_policies/aws_iam_group_users.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates IAM users with console passwords have logged in within the past 90 days.", "DisplayName": "AWS IAM Password Unused", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_password_unused.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that there are no IAM policies that grant full administrative privileges to IAM users or groups.", "DisplayName": "AWS IAM Policy Administrative Privileges", "LogTypes": ["AWS.IAM.Policy"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_administrative_privileges.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that there are no IAM policies assigned directly to users. Best practice suggests assigning to an IAM group and placing users within that group.", "DisplayName": "AWS IAM Policy Assigned to User", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_assigned_to_user.yml"}, {"AnalysisType": "Policy", "Description": "This detects the usage of highly permissive IAM Policies that should only be assigned to a small number of users, roles, or groups.", "DisplayName": "AWS IAM Policy Blocklist", "LogTypes": ["AWS.IAM.Group", "AWS.IAM.Role", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_blocklist.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that no IAM policies grant admin access. This should be combined with suppressions on the legitimate IAM admin policies in your account so that it only fires when new and unexpected policies granting admin access are created.", "DisplayName": "AWS IAM Policy Does Not Grant Any Administrative Access", "LogTypes": ["AWS.IAM.Policy"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that no IAM policies grant admin privileges on network resources. This should be used in conjunction with suppressions for the legitimate network admin policies in your account.", "DisplayName": "AWS IAM Policy Does Not Grant Network Admin Access", "LogTypes": ["AWS.IAM.Policy"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that policies that have been explicitly configured to be set to certain roles are still attached to those roles.", "DisplayName": "AWS IAM Policy Role Mapping", "LogTypes": ["AWS.IAM.Policy"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_role_mapping.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that no IAM entities have inline policies assigned. Inline policies are more difficult to administer and audit, and may lead to access that lasts longer than intended.", "DisplayName": "AWS IAM Resource Does Not Have Inline Policy", "LogTypes": ["AWS.IAM.Group", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM roles that grant the (specified) permission do not allow accounts outside the organization to assume them.", "DisplayName": "AWS IAM Role Grants (permission) to Non-organizational Account", "LogTypes": ["AWS.IAM.Role"], "YAMLPath": "policies/aws_iam_policies/aws_iam_role_external_permission.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM roles in the account are restrictive in what entities may assume them. This can help prevent malicious actors from assuming roles they should not be assuming.", "DisplayName": "AWS IAM Role Restricts Usage", "LogTypes": ["AWS.IAM.Role"], "YAMLPath": "policies/aws_iam_policies/aws_iam_role_restricts_usage.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that IAM roles used with GitHub Actions are securely configured to prevent unauthorized access to AWS resources. It validates trust relationships by checking for proper audience (aud) restrictions, ensuring it is set to sts.amazonaws.com, and subject (sub) conditions, confirming they are scoped to specific repositories or environments. Misconfigurations, such as overly permissive wildcards or missing conditions, can allow unauthorized repositories to assume roles, leading to potential data breaches or compliance violations. By enforcing these checks, the policy mitigates risks of exploitation, enhances security posture, and protects critical AWS resources from external threats.", "DisplayName": "AWS IAM Role Trust Relationship for GitHub Actions", "LogTypes": ["AWS.IAM.Role"], "YAMLPath": "policies/aws_iam_policies/aws_iam_role_github_actions_trust.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all AWS IAM users with access to the AWS Console have Multi-Factor Authentication (MFA) enabled.", "DisplayName": "AWS IAM User MFA ", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_user_mfa.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM users are not in IAM groups that are considered mutually exclusive. For example, in some workflows developers are responsible for dev environments and sysadmins are responsible for prod environments. In this situation no (or very few) users should be in both sysadmin and developer groups. This is in following with the principle of least privilege.", "DisplayName": "AWS IAM User Not In Conflicting Groups", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that customer master keys (CMKs) have automatic key rotation enabled.", "DisplayName": "AWS KMS CMK Key Rotation", "LogTypes": ["AWS.KMS.Key"], "YAMLPath": "policies/aws_kms_policies/aws_cmk_key_rotation.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that KMS Keys restrict what entities can use them and how. This is to ensure that encryption keys are limited in who can use them in order to prevent unapproved decryption.", "DisplayName": "AWS KMS Key Restricts Usage", "LogTypes": ["AWS.KMS.Key"], "YAMLPath": "policies/aws_kms_policies/aws_kms_key_policy_restricts_usage.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the function policy attached to the Lambda resource prohibits public access", "DisplayName": "AWS Lambda Public Access", "LogTypes": ["AWS.Lambda.Function"], "YAMLPath": "policies/aws_lambda_policies/aws_lambda_public_access.yml"}, {"AnalysisType": "Rule", "Description": "Amazon Macie is a data security and data privacy service to discover and protect sensitive data. Security teams use Macie to detect open S3 Buckets that could have potentially sensitive data in it along with policy violations, such as missing Encryption. If an attacker disables Macie, it could potentially hide data exfiltration.", "DisplayName": "AWS Macie Disabled/Updated", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_macie_evasion.yml"}, {"AnalysisType": "Rule", "Description": "Detection when EC2 compute infrastructure is modified outside of expected automation methods.", "DisplayName": "AWS Modify Cloud Compute Infrastructure", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_modify_cloud_compute_infrastructure.yml"}, {"AnalysisType": "Rule", "Description": "A Network ACL entry that allows access from anywhere was added.", "DisplayName": "AWS Network ACL Overly Permissive Entry Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Network ACLs restrict inbound traffic in some way.", "DisplayName": "AWS Network ACL Restricts Inbound Traffic", "LogTypes": ["AWS.EC2.NetworkACL"], "YAMLPath": "policies/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Network ACLs block the usage of ports typically associated with insecure or unencrypted protocols.", "DisplayName": "AWS Network ACL Restricts Insecure Protocols", "LogTypes": ["AWS.EC2.NetworkACL"], "YAMLPath": "policies/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Network ACLs have some restrictions on outbound traffic.", "DisplayName": "AWS Network ACL Restricts Outbound Traffic", "LogTypes": ["AWS.EC2.NetworkACL"], "YAMLPath": "policies/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "SSH access should only be granted from protected network CIDR ranges.", "DisplayName": "AWS Network ACL Restricts SSH", "LogTypes": ["AWS.EC2.NetworkACL"], "YAMLPath": "policies/aws_vpc_policies/aws_network_acl_restricted_ssh.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the account password policy enforces the recommended password complexity requirements.", "DisplayName": "AWS Password Policy Complexity Guidelines", "LogTypes": ["AWS.PasswordPolicy"], "YAMLPath": "policies/aws_account_policies/aws_password_policy_complexity_guidelines.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the account password policy enforces a maximum password age of 90 days or less.", "DisplayName": "AWS Password Policy Password Age Limit", "LogTypes": ["AWS.PasswordPolicy"], "YAMLPath": "policies/aws_account_policies/aws_password_policy_password_age_limit.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the account password policy prevents users from re-using previous passwords, and prevents password reuse for 24 or more prior passwords.", "DisplayName": "AWS Password Policy Password Reuse", "LogTypes": ["AWS.PasswordPolicy"], "YAMLPath": "policies/aws_account_policies/aws_password_policy_password_reuse.yml"}, {"AnalysisType": "Rule", "Description": "Identifies when a permission is added to a Lambda function, which could indicate a potential security risk.", "DisplayName": "AWS Potential Backdoor Lambda Function Through Resource-Based Policy", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_backdoor_lambda_function.yml"}, {"AnalysisType": "Scheduled Query", "Description": "A role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role.", "DisplayName": "AWS Potentially Stolen Service Role", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/aws_potentially_compromised_service_role_query.yml"}, {"AnalysisType": "Correlation Rule", "Description": "", "DisplayName": "AWS Privilege Escalation Via User Compromise", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_privilege_escalation_via_user_compromise.yml"}, {"AnalysisType": "Rule", "Description": "Detects the recovery of a new public database instance from a snapshot. It may be part of data exfiltration.", "DisplayName": "AWS Public RDS Restore", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_rds_publicrestore.yml"}, {"AnalysisType": "Policy", "Description": "This Policy ensures that RDS Instances have Backups enabled. Backups are an important aspect of disaster recovery that can protect sensitive data from destruction.", "DisplayName": "AWS RDS Instance Backup", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_backup.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that RDS instances have encryption enabled.", "DisplayName": "AWS RDS Instance Encryption", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_encryption.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that RDS instances are configured with a backup retention period that is acceptable to company policy. This ensures for both compliance and security reasons that records are kept for a minimum period of time, and for compliance and performance reasons that records are not kept indefinitely.", "DisplayName": "AWS RDS Instance Has Acceptable Backup Retention Period", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.yml"}, {"AnalysisType": "Policy", "Description": "This Policy ensures that RDS Instances have are running in High Availability mode to provide redundancy in the event of an operational failure. For Aurora, storage is replicated across all the Availability Zones and doesn't require this setting.", "DisplayName": "AWS RDS Instance High Availability", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_high_availability.yml"}, {"AnalysisType": "Policy", "Description": "If you want Amazon RDS to upgrade the DB engine version of a database automatically, you can enable auto minor version upgrades for the database.", "DisplayName": "AWS RDS Instance Minor Version Upgrades", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.yml"}, {"AnalysisType": "Policy", "Description": "This Policy checks that an RDS Instance is not accessible from the public internet.", "DisplayName": "AWS RDS Instance Public Access", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_public_access.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that RDS Instance snapshots are not publicly restorable. This would allow anyone to restore an old version of your database and have full access to its contents.", "DisplayName": "AWS RDS Instance Snapshot Public Access", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_snapshot_public_access.yml"}, {"AnalysisType": "Rule", "Description": "A manual snapshot of an RDS database was created. An attacker may use this to exfiltrate the DB contents to another account; use this as a correlation rule.", "DisplayName": "AWS RDS Manual/Public Snapshot Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.yml"}, {"AnalysisType": "Rule", "Description": "A sensitive database operation that should be performed carefully or rarely", "DisplayName": "AWS RDS Master Password Updated", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_rds_master_pass_updated.yml"}, {"AnalysisType": "Rule", "Description": "An RDS snapshot was shared with another account. This could be an indicator of exfiltration.", "DisplayName": "AWS RDS Snapshot Shared", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Clusters have encryption enabled.", "DisplayName": "AWS Redshift Cluster Encryption", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_encryption.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Cluster snapshot retention periods are set to an appropriate time. This ensures that records are kept long enough for compliance and security reasons, but no too long for compliance and performance reasons.", "DisplayName": "AWS Redshift Cluster Has Acceptable Snapshot Retention Period", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Cluster have logging enabled. This includes audit logs.", "DisplayName": "AWS Redshift Cluster Logging", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_logging.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Clusters have the correct preferred maintenance window configured.", "DisplayName": "AWS Redshift Cluster Maintenance Window", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_maintenance_window.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Clusters have sufficient snapshot retention periods, so that snapshots are not lost before they are needed.", "DisplayName": "AWS Redshift Cluster Snapshot Retention", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Clusters automatically perform upgrades during scheduled maintenance windows.", "DisplayName": "AWS Redshift Cluster Version Upgrade", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_version_upgrade.yml"}, {"AnalysisType": "Rule", "Description": "Some AWS resource was made publicly accessible over the internet. Checks ECR, Elasticsearch, KMS, S3, S3 Glacier, SNS, SQS, and Secrets Manager.", "DisplayName": "AWS Resource Made Public", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_resource_made_public.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that applicable resources have a minimum number of tags set.", "DisplayName": "AWS Resource Minimum Tags ", "LogTypes": ["AWS.EC2.Instance", "AWS.EC2.SecurityGroup", "AWS.EC2.VPC", "AWS.IAM.User"], "YAMLPath": "policies/aws_account_policies/aws_resource_minimum_tags.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that AWS resources have specific tags, dependent on their resource type.", "DisplayName": "AWS Resource Required Tags", "LogTypes": ["AWS.EC2.Instance", "AWS.EC2.SecurityGroup", "AWS.EC2.VPC", "AWS.IAM.User"], "YAMLPath": "policies/aws_account_policies/aws_resource_required_tags.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that no programmatic access keys exist for the root account.", "DisplayName": "AWS Root Account Access Keys", "LogTypes": ["AWS.IAM.RootUser"], "YAMLPath": "policies/aws_iam_policies/aws_root_account_access_keys.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that a hardware MFA device is in use for access to the root account.", "DisplayName": "AWS Root Account Hardware MFA", "LogTypes": ["AWS.IAM.RootUser"], "YAMLPath": "policies/aws_iam_policies/aws_root_account_hardware_mfa.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Multi Factor Authentication (MFA) is required for access to the root account.", "DisplayName": "AWS Root Account MFA", "LogTypes": ["AWS.IAM.RootUser"], "YAMLPath": "policies/aws_iam_policies/aws_root_account_mfa.yml"}, {"AnalysisType": "Rule", "Description": "Checks for errors during S3 Object access. This could be due to insufficient access permissions, non-existent buckets, or other reasons.", "DisplayName": "AWS S3 Access Error", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_access_error.yml"}, {"AnalysisType": "Rule", "Description": "Checks that the remote IP accessing the S3 bucket is in the IP allowlist.", "DisplayName": "AWS S3 Access IP Allowlist", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_access_ip_allowlist.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that the S3 bucket policy does not allow any action on the bucket, in accordance with the principal of least privilege.", "DisplayName": "AWS S3 Bucket Action Restrictions", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_action_restrictions.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that the S3 bucket has encryption enabled.", "DisplayName": "AWS S3 Bucket Encryption", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_encryption.yml"}, {"AnalysisType": "Policy", "Description": "Verifies that the S3 Bucket Object Lifecycle configuration expires data within 90 and 365 days.", "DisplayName": "AWS S3 Bucket Lifecycle Configuration", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that a logging policy is set for the S3 bucket.", "DisplayName": "AWS S3 Bucket Logging", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_logging.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that MFA delete is enabled for a bucket so that all objects can only be deleted by users authenticated with MFA.", "DisplayName": "AWS S3 Bucket MFA Delete", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_mfa_delete.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the AWS S3 bucket name is DNS compliant.", "DisplayName": "AWS S3 Bucket Name DNS Compliance", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_name_dns_compliance.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that S3 buckets have an Object Lock configuration enabled. This should be used with specific suppression lists to ensure it is applied only to appropriate S3 buckets, such as those containing CloudTrail or other auditable records.", "DisplayName": "AWS S3 Bucket Object Lock Configured", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_object_lock_configured.yml"}, {"AnalysisType": "Policy", "Description": "Prevents the use of a 'Not' principal in conjunction with an allow effect in an S3 bucket policy, which would allow global access for the resource besides the principals specified.", "DisplayName": "AWS S3 Bucket Policy Allow With Not Principal", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.yml"}, {"AnalysisType": "Rule", "Description": "An S3 Bucket was modified.", "DisplayName": "AWS S3 Bucket Policy Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that S3 Bucket access policies do not allow all users (Principal:\"*\") for a given action on the bucket, in accordance with the principle of least privilege.", "DisplayName": "AWS S3 Bucket Principal Restrictions", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_principal_restrictions.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that a Public Access Block Configuration is set for the given S3 bucket.", "DisplayName": "AWS S3 Bucket Public Access Block", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_public_access_block.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that the S3 bucket is not publicly readable.", "DisplayName": "AWS S3 Bucket Public Read", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_public_read.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that the S3 bucket is not publicly writeable.", "DisplayName": "AWS S3 Bucket Public Write", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_public_write.yml"}, {"AnalysisType": "Policy", "Description": "Ensures access to S3 buckets is forced to use a secure (HTTPS) connection.", "DisplayName": "AWS S3 Bucket Secure Access", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_secure_access.yml"}, {"AnalysisType": "Policy", "Description": "Checks that object versioning is enabled in the S3 bucket.", "DisplayName": "AWS S3 Bucket Versioning", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_versioning.yml"}, {"AnalysisType": "Rule", "Description": "Checks if HTTP (unencrypted) was used to access objects in an S3 bucket, as opposed to HTTPS (encrypted).", "DisplayName": "AWS S3 Insecure Access", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_insecure_access.yml"}, {"AnalysisType": "Rule", "Description": "Checks for S3 access attempts where the requester is not an authenticated AWS user.", "DisplayName": "AWS S3 Unauthenticated Access", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_unauthenticated_access.yml"}, {"AnalysisType": "Rule", "Description": "Validates that proper IAM entities are accessing sensitive data buckets.", "DisplayName": "AWS S3 Unknown Requester", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_unknown_requester_get_object.yml"}, {"AnalysisType": "Rule", "Description": "Identifies when SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", "DisplayName": "AWS SAML Activity", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_saml_activity.yml"}, {"AnalysisType": "Rule", "Description": "An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets.", "DisplayName": "AWS Secrets Manager Batch Retrieve Secrets", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_batch.yml"}, {"AnalysisType": "Rule", "Description": "An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets. Although BatchGetSecretValue requires a list of secret IDs or a filter, an attacker may use a catch-all filter to retrieve all secrets by batch. This rule identifies BatchGetSecretValue events with a catch-all filter.", "DisplayName": "AWS Secrets Manager Batch Retrieve Secrets Catch-All", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_catchall.yml"}, {"AnalysisType": "Rule", "Description": "An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets. This rule identifies BatchGetSecretValue events for multiple regions in a short period of time.", "DisplayName": "AWS Secrets Manager Retrieve Secrets Multi-Region", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_multiregion.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that only Security Groups designated as DMZs allow inbound traffic from public IP space. This helps ensure no traffic is bypassing the DMZ.", "DisplayName": "AWS Security Group - Only DMZ Publicly Accessible", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that AWS Security Groups don't allow unrestricted inbound traffic on port 3389 or 22, ports commonly used for the remote access protocols RDP and SSH respectively.", "DisplayName": "AWS Security Group Administrative Ingress", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_administrative_ingress.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that are considered part of the PCI CDE do not allow any access from public IP space.", "DisplayName": "AWS Security Group Restricts Access To CDE", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_access_to_cde.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have some restrictions on inbound traffic.", "DisplayName": "AWS Security Group Restricts Inbound Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have restrictions on inter Security Group traffic. Administrators may assume there is an implicit level of trust between Security Groups in the same account, but this is not always a good assumption in cases one Security Group contains far more sensitive data that another.", "DisplayName": "AWS Security Group Restricts Inter-SG Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have some restrictions on outbound traffic.", "DisplayName": "AWS Security Group Restricts Outbound Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that there are restrictions on what type of traffic may leave Security Groups that are considered with the scope of the PCI CDE. These restrictions help ensure that cardholder data does not leave the CDE.", "DisplayName": "AWS Security Group Restricts Traffic Leaving CDE", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have restrictive permission sets that both limit the total number of open ports, as well as limiting ports typically associated with insecure protocols.", "DisplayName": "AWS Security Group Tightly Restricts Inbound Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have restrictive controls on outbound traffic.", "DisplayName": "AWS Security Group Tightly Restricts Outbound Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.yml"}, {"AnalysisType": "Rule", "Description": "Detections modification of findings in SecurityHub", "DisplayName": "AWS SecurityHub Finding Evasion", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_securityhub_finding_evasion.yml"}, {"AnalysisType": "Rule", "Description": "An AWS storage snapshot was made public.", "DisplayName": "AWS Snapshot Made Public", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_snapshot_made_public.yml"}, {"AnalysisType": "Rule", "Description": "A user is obtaining a list of security software, configurations, defensive tools, and sensors that are in AWS.", "DisplayName": "AWS Software Discovery", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_software_discovery.yml"}, {"AnalysisType": "Correlation Rule", "Description": "When using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts.In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing \u2013 just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level.", "DisplayName": "AWS SSO Access Token Retrieved by Unauthenticated IP", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml"}, {"AnalysisType": "Rule", "Description": "Detects creation and updates of the list of trusted IPs used by GuardDuty and WAF. Potentially to disable security alerts against malicious IPs.", "DisplayName": "AWS Trusted IPSet Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ipset_modified.yml"}, {"AnalysisType": "Rule", "Description": "Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised.", "DisplayName": "AWS Unsuccessful MFA attempt", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_unsuccessful_mfa_attempt.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM user access keys are used at least once every 90 days.", "DisplayName": "AWS Unused Access Key", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_access_key_unused.yml"}, {"AnalysisType": "Rule", "Description": "Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment.", "DisplayName": "AWS User API Key Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml"}, {"AnalysisType": "Rule", "Description": "An attacker with iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console. May be legitimate account administration.", "DisplayName": "AWS User Login Profile Created or Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_loginprofilecreatedormodified.yml"}, {"AnalysisType": "Correlation Rule", "Description": "", "DisplayName": "AWS User Takeover Via Password Reset", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_user_takeover_via_password_reset.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the default Network ACL for a given AWS VPC is restricting all inbound and outbound traffic.", "DisplayName": "AWS VPC Default Network ACL Restricts All Traffic", "LogTypes": ["AWS.EC2.VPC"], "YAMLPath": "policies/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the default Security Group for a given AWS VPC is restricting all inbound and outbound traffic.", "DisplayName": "AWS VPC Default Security Group Restrictions ", "LogTypes": ["AWS.EC2.VPC"], "YAMLPath": "policies/aws_vpc_policies/aws_vpc_default_security_restrictions.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that AWS VPCs (Virtual Private Clouds) have network flow logging enabled.", "DisplayName": "AWS VPC Flow Logs", "LogTypes": ["AWS.EC2.VPC"], "YAMLPath": "policies/aws_vpc_policies/aws_vpc_flow_logs.yml"}, {"AnalysisType": "Rule", "Description": "Detects when logs for a VPC have been removed.", "DisplayName": "AWS VPC Flow Logs Removed", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Checks for the log status `SKIPDATA`, which indicates that data was lost either to an internal server error or due to capacity constraints.", "DisplayName": "AWS VPC Healthy Log Status", "LogTypes": ["AWS.VPCFlow", "OCSF.NetworkActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_vpc_healthy_log_status.yml"}, {"AnalysisType": "Rule", "Description": "Detection to alert when a WAF disassociates from a source.", "DisplayName": "AWS WAF Disassociation", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_waf_disassociation.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all WAF's have at least one rule with a predicate matching on and blocking XSS attacks.", "DisplayName": "AWS WAF Has XSS Predicate", "LogTypes": ["AWS.WAF.Regional.WebACL", "AWS.WAF.WebACL"], "YAMLPath": "policies/aws_waf_policies/aws_waf_has_xss_predicate.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that AWS WAF logging is enabled and that the logs are being sent to a valid destination (S3, CloudWatch, or Kinesis Firehose). Without logging, visibility into WAF activity is severely limited, increasing the risk of undetected attacks.", "DisplayName": "AWS WAF Logging Configured", "LogTypes": ["AWS.WAF.Regional.WebACL", "AWS.WAF.WebACL"], "YAMLPath": "policies/aws_waf_policies/aws_waf_logging_configured.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all WAF's have the correct rule ordering. Incorrect rule ordering could lead to less restrictive rules being matched and allowing traffic through before more restrictive rules that should have blocked the traffic.", "DisplayName": "AWS WAF Rule Ordering", "LogTypes": ["AWS.WAF.Regional.WebACL", "AWS.WAF.WebACL"], "YAMLPath": "policies/aws_waf_policies/aws_waf_rule_ordering.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that AWS WAF WebACLs are associated with at least one resource (ALB, CloudFront Distribution, or API Gateway). If a WebACL is not associated with any resources, it is inactive and not providing any protection.", "DisplayName": "AWS WAF WebACL Has Associated Resources", "LogTypes": ["AWS.WAF.Regional.WebACL", "AWS.WAF.WebACL"], "YAMLPath": "policies/aws_waf_policies/aws_waf_webacl_has_associated_resources.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Identifies when an Administrative IAM user is creates. This could indicate a potential security breach.", "DisplayName": "AWS.Administrative.IAM.User.Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_create_admin_iam_user.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AWS.CloudTrail.UserAccessKeyAuth", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_useraccesskeyauth.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for a Azure users inviting external users", "DisplayName": "Azure Invite External Users", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_invite_external_users.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for a number of failed sign-ins for the same ServicePrincipalName or UserPrincipalName", "DisplayName": "Azure Many Failed SignIns", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_failed_signins.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for MFA being disabled in conditional access policy", "DisplayName": "Azure MFA Disabled", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_mfa_disabled.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for policy changes in AuditLogs", "DisplayName": "Azure Policy Changed", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_policy_changed.yml"}, {"AnalysisType": "Rule", "Description": "This detection surfaces an alert based on riskLevelAggregated, riskLevelDuringSignIn, and riskState.riskLevelAggregated and riskLevelDuringSignIn are only expected for Azure AD Premium P2 customers.", "DisplayName": "Azure RiskLevel Passthrough", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_risklevel_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for a change in member's PIM roles in EntraID", "DisplayName": "Azure Role Changed PIM", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_role_changed_pim.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for Successful Logins that have used legacy authentication protocols", "DisplayName": "Azure SignIn via Legacy Authentication Protocol", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_legacyauth.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when a user defined list of sensitive items in 1Password is accessed", "DisplayName": "BETA - Sensitive 1Password Item Accessed", "LogTypes": ["OnePassword.ItemUsage"], "YAMLPath": "rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml"}, {"AnalysisType": "Rule", "Description": "A user granted access to their box account to Box technical support from account settings.", "DisplayName": "Box Access Granted", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_access_granted.yml"}, {"AnalysisType": "Rule", "Description": "A user violated the content workflow policy.", "DisplayName": "Box Content Workflow Policy Violation", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_policy_violation.yml"}, {"AnalysisType": "Rule", "Description": "An external user has triggered a box enterprise event.", "DisplayName": "Box event triggered by unknown or external user", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_event_triggered_externally.yml"}, {"AnalysisType": "Rule", "Description": "A user has shared an item and it is accessible to anyone with the share link (internal or external to the company). This rule requires that the boxsdk[jwt] be installed in the environment.", "DisplayName": "Box item shared externally", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_item_shared_externally.yml"}, {"AnalysisType": "Rule", "Description": "A user has exceeded the threshold for number of downloads within a single time frame.", "DisplayName": "Box Large Number of Downloads", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_user_downloads.yml"}, {"AnalysisType": "Rule", "Description": "A user has exceeded the threshold for number of folder permission changes within a single time frame.", "DisplayName": "Box Large Number of Permission Changes", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_user_permission_updates.yml"}, {"AnalysisType": "Rule", "Description": "A user logged in from a new device.", "DisplayName": "Box New Login", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_new_login.yml"}, {"AnalysisType": "Rule", "Description": "A user's download activity has altered significantly.", "DisplayName": "Box Shield Detected Anomalous Download Activity", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_anomalous_download.yml"}, {"AnalysisType": "Rule", "Description": "A user login event or session event was tagged as medium to high severity by Box Shield.", "DisplayName": "Box Shield Suspicious Alert Triggered", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_suspicious_login_or_session.yml"}, {"AnalysisType": "Rule", "Description": "A user attempted to login from an untrusted device.", "DisplayName": "Box Untrusted Device Login", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_untrusted_device.yml"}, {"AnalysisType": "Rule", "Description": "An actor user was denied login access more times than the configured threshold.", "DisplayName": "Brute Force By IP", "LogTypes": ["AWS.CloudTrail", "Asana.Audit", "Atlassian.Audit", "Box.Event", "GSuite.Reports", "Okta.SystemLog", "OneLogin.Events", "OnePassword.SignInAttempt"], "YAMLPath": "rules/standard_rules/brute_force_by_ip.yml"}, {"AnalysisType": "Rule", "Description": "An actor user was denied login access more times than the configured threshold.", "DisplayName": "Brute Force By User", "LogTypes": ["AWS.CloudTrail", "Asana.Audit", "Atlassian.Audit", "Box.Event", "GSuite.Reports", "Okta.SystemLog", "OneLogin.Events", "OnePassword.SignInAttempt"], "YAMLPath": "rules/standard_rules/brute_force_by_user.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user is granted Admin or Super Admin permissions.", "DisplayName": "Carbon Black Admin Role Granted", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_admin_grant.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user creates a new API key or retrieves an existing key.", "DisplayName": "Carbon Black API Key Created or Retrieved", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_api_key_created_retrieved.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user disables or deletes a Data Forwarder.", "DisplayName": "Carbon Black Data Forwarder Stopped", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_data_forwarder_stopped.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Carbon Black has flagged a log as important, such as failed login attempts and locked accounts.", "DisplayName": "Carbon Black Log Entry Flagged", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_flagged.yml"}, {"AnalysisType": "Rule", "Description": "This rule enriches and contextualizes security alerts generated by Carbon Black. The alert title and description are dynamically updated based on data included in the alert log.", "DisplayName": "Carbon Black Passthrough Rule", "LogTypes": ["CarbonBlack.AlertV2"], "YAMLPath": "rules/carbonblack_rules/cb_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user from a different organization is added to Carbon Black.", "DisplayName": "Carbon Black User Added Outside Org", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_user_added_outside_org.yml"}, {"AnalysisType": "Rule", "Description": "Monitor blocked domains", "DisplayName": "Cisco Umbrella Domain Blocked", "LogTypes": ["CiscoUmbrella.DNS"], "YAMLPath": "rules/cisco_umbrella_dns_rules/domain_blocked.yml"}, {"AnalysisType": "Rule", "Description": "Identify lookups to suspicious domains that could indicate a phishing attack.", "DisplayName": "Cisco Umbrella Domain Name Fuzzy Matching", "LogTypes": ["CiscoUmbrella.DNS"], "YAMLPath": "rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml"}, {"AnalysisType": "Rule", "Description": "Monitor suspicious or known malicious domains", "DisplayName": "Cisco Umbrella Suspicious Domains", "LogTypes": ["CiscoUmbrella.DNS"], "YAMLPath": "rules/cisco_umbrella_dns_rules/suspicious_domains.yml"}, {"AnalysisType": "Rule", "Description": "Monitors for bots making HTTP Requests at a rate higher than 2req/sec", "DisplayName": "Cloudflare Bot High Volume", "LogTypes": ["Cloudflare.HttpRequest"], "YAMLPath": "rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml"}, {"AnalysisType": "Rule", "Description": "Layer 7 Distributed Denial of Service (DDoS) detected", "DisplayName": "Cloudflare L7 DDoS", "LogTypes": ["Cloudflare.Firewall"], "YAMLPath": "rules/cloudflare_rules/cloudflare_firewall_ddos.yml"}, {"AnalysisType": "Rule", "Description": "A CloudTrail instances were stopped. It makes further changes of instances possible", "DisplayName": "CloudTrail EC2 StopInstances", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_stopinstances.yml"}, {"AnalysisType": "Rule", "Description": "A CloudTrail Trail was modified to exclude management events for 1 or more resource types.", "DisplayName": "CloudTrail Event Selectors Disabled", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect password spraying account using a scheduled query", "DisplayName": "CloudTrail Password Spraying", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/cloudtrail_password_spraying.yml"}, {"AnalysisType": "Rule", "Description": "A CloudTrail Trail was modified.", "DisplayName": "CloudTrail Stopped", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_stopped.yml"}, {"AnalysisType": "Rule", "Description": "An AWS CodeBuild Project was made publicly accessible", "DisplayName": "CodeBuild Project made Public", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_codebuild_made_public.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when a user defined list of sensitive items in 1Password is accessed", "DisplayName": "Configuration Required - Sensitive 1Password Item Accessed", "LogTypes": ["OnePassword.ItemUsage"], "YAMLPath": "rules/onepassword_rules/onepassword_sensitive_item_access.yml"}, {"AnalysisType": "Rule", "Description": "Detection to alert when internal asset is communicating with an sanctioned destination. This detection leverages Panther UDM and IPInfo enrichment.", "DisplayName": "Connection to Embargoed Country", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_connection_to_embargoed_country.yml"}, {"AnalysisType": "Rule", "Description": "A user was assigned a priviledged role", "DisplayName": "Crowdstrike Admin Role Assigned", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_admin_role_assigned.yml"}, {"AnalysisType": "Rule", "Description": "A user deleted an allowlist", "DisplayName": "Crowdstrike Allowlist Removed", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_allowlist_removed.yml"}, {"AnalysisType": "Rule", "Description": "A user created an API Key in CrowdStrike", "DisplayName": "Crowdstrike API Key Created", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_api_key_created.yml"}, {"AnalysisType": "Rule", "Description": "A user deleted an API Key in CrowdStrike", "DisplayName": "Crowdstrike API Key Deleted", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_api_key_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects usage of tools commonly used for credential dumping.", "DisplayName": "Crowdstrike Credential Dumping Tool", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml"}, {"AnalysisType": "Rule", "Description": "Detects the execution of known crytocurrency mining tools.", "DisplayName": "Crowdstrike Cryptomining Tools ", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml"}, {"AnalysisType": "Rule", "Description": "Crowdstrike Falcon has detected malicious activity on a host.", "DisplayName": "Crowdstrike Detection Passthrough", "LogTypes": ["Crowdstrike.DetectionSummary", "Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "Forwards any alerts generated by CrowdStrike to your Panther destinations.", "DisplayName": "Crowdstrike Detection Summary", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Detects when a user account is created and deleted within 12 hours. This aims to detect ephemeral user accounts infiltrators might use to avoid suspicion.", "DisplayName": "Crowdstrike Ephemeral User Account", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_ephemeral_user_account.yml"}, {"AnalysisType": "Rule", "Description": "Living off the land binaries and script usage", "DisplayName": "Crowdstrike FDR LOLBAS", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_lolbas.yml"}, {"AnalysisType": "Rule", "Description": "Updates were made to Falcon console's allowlist. This could indicate a bad actor permitting access from another machine, or could be attackers preventing legitimate actors from accessing the console.", "DisplayName": "Crowdstrike IP Allowlist Changed", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_ip_allowlist_changed.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects creation of large zip files, which can indicate attempts of exfiltration", "DisplayName": "CrowdStrike Large Zip Creation", "LogTypes": ["Crowdstrike.Unknown"], "YAMLPath": "queries/crowdstrike_queries/CrowdStrike_Large_Zip_Creation.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects creation of large zip files, which can indicate attempts of exfiltration (crowdstrike_fdrevent table)", "DisplayName": "CrowdStrike Large Zip Creation (crowdstrike_fdrevent table)", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "queries/crowdstrike_queries/CrowdStrike_Large_Zip_Creation_FDREvent.yml"}, {"AnalysisType": "Rule", "Description": "Detects attempt to install a root certificate on MacOS", "DisplayName": "CrowdStrike MacOS Added Trusted Cert", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml"}, {"AnalysisType": "Rule", "Description": "Detects usage of osascript with administrator privileges", "DisplayName": "CrowdStrike MacOS Osascript as Administrator", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_macos_osascript_administrator.yml"}, {"AnalysisType": "Rule", "Description": "Detects the usage of plutil to modify plist files. Plist files run on start up and are often used by attackers to maintain persistence.", "DisplayName": "CrowdStrike MacOS plutil Usage", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Detects when a user account is created and assigned admin permissions", "DisplayName": "Crowdstrike New Admin User Created", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_admin_user_created.yml"}, {"AnalysisType": "Rule", "Description": "A new Crowdstrike user was created", "DisplayName": "Crowdstrike New User Created", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_user_created.yml"}, {"AnalysisType": "Rule", "Description": "Alert when someone uses Crowdstrike\u2019s RTR (real-time response) capability to access a machine remotely to run commands.", "DisplayName": "Crowdstrike Real Time Response (RTS) Session", "LogTypes": ["Crowdstrike.FDREvent", "Crowdstrike.Unknown"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_real_time_response_session.yml"}, {"AnalysisType": "Rule", "Description": "Detects usage of common remote access tools.", "DisplayName": "Crowdstrike Remote Access Tool Execution", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_remote_access_tool_execution.yml"}, {"AnalysisType": "Rule", "Description": "Detects usage of tools commonly used to to establish reverse shells on Windows machines.", "DisplayName": "Crowdstrike Reverse Shell Tool Executed", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_reverse_shell_tool_executed.yml"}, {"AnalysisType": "Rule", "Description": "A single IP (instead of a CIDR range) was allowlisted. This could indicate a bad actor permitting access from another machine.", "DisplayName": "Crowdstrike Single IP Allowlisted", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_single_ip_allowlisted.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user attempts to clear system logs.", "DisplayName": "Crowdstrike Systemlog Tampering", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml"}, {"AnalysisType": "Rule", "Description": "Detects unusual parent child process pairings.", "DisplayName": "Crowdstrike Unusual Parent Child Processes", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_unusual_parent_child_processes.yml"}, {"AnalysisType": "Rule", "Description": "Someone has deleted multiple users.", "DisplayName": "Crowdstrike User Deleted", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_user_deleted.yml"}, {"AnalysisType": "Rule", "Description": "A user's password was changed", "DisplayName": "Crowdstrike User Password Changed", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_password_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects execution of WMI queries involving information gathering or actions on remote systems, which could indicate reconnaissance or lateral movement.", "DisplayName": "Crowdstrike WMI Query Detection", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml"}, {"AnalysisType": "Rule", "Description": "Attackers are exploiting a Critical (CVSS 10.0) GitLab vulnerability in which user account password reset emails could be delivered to an unverified email address.", "DisplayName": "CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails", "LogTypes": ["GitLab.Audit"], "YAMLPath": "rules/gitlab_rules/gitlab_audit_password_reset_multiple_emails.yml"}, {"AnalysisType": "Rule", "Description": "Attackers are exploiting a Critical (CVSS 10.0) GitLab vulnerability in which user account password reset emails could be delivered to an unverified email address.", "DisplayName": "CVE-2023-7028 - GitLab Production Password Reset Multiple Emails", "LogTypes": ["GitLab.Production"], "YAMLPath": "rules/gitlab_rules/gitlab_production_password_reset_multiple_emails.yml"}, {"AnalysisType": "Rule", "Description": "Actor accessed Decoy DynamoDB", "DisplayName": "Decoy DynamoDB Accessed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_dynamodb_accessed.yml"}, {"AnalysisType": "Rule", "Description": "Actor assumed decoy IAM role", "DisplayName": "Decoy IAM Assumed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_iam_assumed.yml"}, {"AnalysisType": "Rule", "Description": "Actor accessed S3 Manager decoy secret", "DisplayName": "Decoy S3 Accessed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_s3_accessed.yml"}, {"AnalysisType": "Rule", "Description": "Actor accessed Secrets Manager decoy secret", "DisplayName": "Decoy Secret Accessed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_secret_accessed.yml"}, {"AnalysisType": "Rule", "Description": "Actor accessed Decoy Systems Manager parameter", "DisplayName": "Decoy Systems Manager Parameter Accessed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_systems_manager_parameter_accessed.yml"}, {"AnalysisType": "Rule", "Description": "An IAM user has a high volume of access denied API calls.", "DisplayName": "Detect Reconnaissance from IAM Users", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.yml"}, {"AnalysisType": "Rule", "Description": "Detection content has been removed from Panther.", "DisplayName": "Detection content has been deleted from Panther", "LogTypes": ["Panther.Audit"], "YAMLPath": "rules/panther_audit_rules/panther_detection_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects DNS queries with Base64 encoded subdomains, which could indicate an attempt to obfuscate data exfil.", "DisplayName": "DNS Base64 Encoded Query", "LogTypes": ["AWS.VPCDns", "CiscoUmbrella.DNS", "Crowdstrike.FDREvent"], "YAMLPath": "rules/standard_rules/standard_dns_base64.yml"}, {"AnalysisType": "Rule", "Description": "A DNS request was made to a domain on an explicit denylist", "DisplayName": "DNS request to denylisted domain", "LogTypes": ["Crowdstrike.DNSRequest", "Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_dns_request.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when an admin starts a sign-in-as session.", "DisplayName": "Dropbox Admin sign-in-as Session", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_admin_sign_in_as_session.yml"}, {"AnalysisType": "Rule", "Description": "Dropbox ownership of a document or folder has been transferred.", "DisplayName": "Dropbox Document/Folder Ownership Transfer", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_ownership_transfer.yml"}, {"AnalysisType": "Rule", "Description": "Dropbox item shared externally", "DisplayName": "Dropbox External Share", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_external_share.yml"}, {"AnalysisType": "Rule", "Description": "An application was linked to your Dropbox Account", "DisplayName": "Dropbox Linked Team Application Added", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_linked_team_application_added.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Dropbox Many Deletes", "DisplayName": "Dropbox Many Deletes", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "queries/dropbox_queries/Dropbox_Many_Deletes_Query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Dropbox Many Downloads", "DisplayName": "Dropbox Many Downloads", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "queries/dropbox_queries/Dropbox_Many_Downloads_Query.yml"}, {"AnalysisType": "Rule", "Description": "Dropbox user has disabled 2fa login", "DisplayName": "Dropbox User Disabled 2FA", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_user_disabled_2fa.yml"}, {"AnalysisType": "Rule", "Description": "An administrator viewed a Secret Key for an Application Integration", "DisplayName": "Duo Admin App Integration Secret Key Viewed", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_app_integration_secret_key_viewed.yml"}, {"AnalysisType": "Rule", "Description": "A Duo administrator created an MFA bypass code for an application.", "DisplayName": "Duo Admin Bypass Code Created", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_bypass_code_created.yml"}, {"AnalysisType": "Rule", "Description": "An administrator viewed the MFA bypass code for a user.", "DisplayName": "Duo Admin Bypass Code Viewed", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_bypass_code_viewed.yml"}, {"AnalysisType": "Rule", "Description": "A new Duo Administrator was created.", "DisplayName": "Duo Admin Create Admin", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_create_admin.yml"}, {"AnalysisType": "Rule", "Description": "Alert when a duo administrator is locked out of their account.", "DisplayName": "Duo Admin Lockout", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_lockout.yml"}, {"AnalysisType": "Rule", "Description": "A Duo push was marked fraudulent by an admin.", "DisplayName": "Duo Admin Marked Push Fraudulent", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_marked_push_fraudulent.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to allowed MFA factors administrators can use to log into the admin panel.", "DisplayName": "Duo Admin MFA Restrictions Updated", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_mfa_restrictions_updated.yml"}, {"AnalysisType": "Rule", "Description": "Identifies creation of new Admin API integrations for Duo.", "DisplayName": "Duo Admin New Admin API App Integration", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_new_admin_api_app_integration.yml"}, {"AnalysisType": "Rule", "Description": "A Duo Administrator updated a Policy, which governs how users authenticate.", "DisplayName": "Duo Admin Policy Updated", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_policy_updated.yml"}, {"AnalysisType": "Rule", "Description": "Detects when SAML Authentication for Administrators is marked as Disabled or Optional.", "DisplayName": "Duo Admin SSO SAML Requirement Disabled", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_sso_saml_requirement_disabled.yml"}, {"AnalysisType": "Rule", "Description": "An Administrator enabled a user to authenticate without MFA.", "DisplayName": "Duo Admin User MFA Bypass Enabled", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_user_mfa_bypass_enabled.yml"}, {"AnalysisType": "Rule", "Description": "Alert when a user reports a Duo action as fraudulent.", "DisplayName": "Duo User Action Reported as Fraudulent", "LogTypes": ["Duo.Authentication"], "YAMLPath": "rules/duo_rules/duo_user_action_fraudulent.yml"}, {"AnalysisType": "Rule", "Description": "A Duo authentication was denied due to an anomalous 2FA push.", "DisplayName": "Duo User Auth Denied For Anomalous Push", "LogTypes": ["Duo.Authentication"], "YAMLPath": "rules/duo_rules/duo_user_anomalous_push.yml"}, {"AnalysisType": "Rule", "Description": "A Duo user's bypass code was used to authenticate", "DisplayName": "Duo User Bypass Code Used", "LogTypes": ["Duo.Authentication"], "YAMLPath": "rules/duo_rules/duo_user_bypass_code_used.yml"}, {"AnalysisType": "Rule", "Description": "A Duo user's authentication was denied due to a suspicious error on the endpoint", "DisplayName": "Duo User Denied For Endpoint Error", "LogTypes": ["Duo.Authentication"], "YAMLPath": "rules/duo_rules/duo_user_endpoint_failure_multi.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 Network ACL was modified.", "DisplayName": "EC2 Network ACL Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 Network Gateway was modified.", "DisplayName": "EC2 Network Gateway Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 Route Table was modified.", "DisplayName": "EC2 Route Table Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml"}, {"AnalysisType": "Rule", "Description": "An attacker attempted to retrieve a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue.", "DisplayName": "EC2 Secrets Manager Retrieve Secrets", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 Security Group was modified.", "DisplayName": "EC2 Security Group Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 VPC was modified.", "DisplayName": "EC2 VPC Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml"}, {"AnalysisType": "Rule", "Description": "Unauthorized ECR Create, Read, Update, or Delete event occurred.", "DisplayName": "ECR CRUD Actions", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ecr_crud.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects anonymous API requests made to the Kubernetes API server. In production environments, anonymous access should be disabled to prevent unauthorized access to the API server.", "DisplayName": "EKS Anonymous API Access Detected", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "rules/aws_eks_rules/anonymous_api_access.yml"}, {"AnalysisType": "Rule", "Description": "This detection identifies if a public sourceIP is generating multiple 403s with the Kubernetes API server.", "DisplayName": "EKS Audit Log based single sourceIP is generating multiple 403s", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "rules/aws_eks_rules/source_ip_multiple_403.yml"}, {"AnalysisType": "Rule", "Description": "This detection identifies if an activity is recorded in the Kubernetes audit log where the user:username attribute begins with \"system:\" or \"eks:\" and the requests originating IP Address is a Public IP Address", "DisplayName": "EKS Audit Log Reporting system Namespace is Used From A Public IP", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "rules/aws_eks_rules/system_namespace_public_ip.yml"}, {"AnalysisType": "Rule", "Description": "User enabled or disabled zendesk support user assumption.", "DisplayName": "Enabled Zendesk Support to Assume Users", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_user_assumption.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when users exec into pod. Possible to specify specific projects and allowed users.", "DisplayName": "Exec into Pod", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_exec_into_pod.yml"}, {"AnalysisType": "Rule", "Description": "Detects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands.", "DisplayName": "Execution of Command Line Tool with Base64 Encoded Arguments", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml"}, {"AnalysisType": "Rule", "Description": "An employee shared a sensitive file externally with another organization", "DisplayName": "External GSuite File Share", "LogTypes": ["GSuite.Reports"], "YAMLPath": "rules/gsuite_reports_rules/gsuite_drive_external_share.yml"}, {"AnalysisType": "Rule", "Description": "A Root console login failed.", "DisplayName": "Failed Root Console Login", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_root_login_failed.yml"}, {"AnalysisType": "Rule", "Description": "GCP Access Attempts Violating IAP Access Controls", "DisplayName": "GCP Access Attempts Violating IAP Access Controls", "LogTypes": ["GCP.HTTPLoadBalancer"], "YAMLPath": "rules/gcp_http_lb_rules/gcp_access_attempts_violating_iap_access_controls.yml"}, {"AnalysisType": "Rule", "Description": "An access attempt violating VPC service controls (such as Perimeter controls) has been made.", "DisplayName": "GCP Access Attempts Violating VPC Service Controls", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml"}, {"AnalysisType": "Rule", "Description": "Detect any BigQuery query that is doing a very large scan (> 1 GB).", "DisplayName": "GCP BigQuery Large Scan", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_bigquery_large_scan.yml"}, {"AnalysisType": "Rule", "Description": "Detects creation of new Cloud Run Service, which, if configured maliciously, may be part of the attack aimed to invoke the service and retrieve the access token.", "DisplayName": "GCP Cloud Run Service Created", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloud_run_service_created.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Detects run.services.create method for privilege escalation in GCP. The exploit creates a new Cloud Run Service that, when invoked, returns the Service Account's access token by accessing the metadata API of the server it is running on.", "DisplayName": "GCP Cloud Run Service Created FOLLOWED BY Set IAM Policy", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml"}, {"AnalysisType": "Rule", "Description": "Detects new roles granted to users to Cloud Run Services. This could potentially allow the user to perform actions within the project and its resources, which could pose a security risk.", "DisplayName": "GCP Cloud Run Set IAM Policy", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloud_run_set_iam_policy.yml"}, {"AnalysisType": "Rule", "Description": "Detects GCP cloud storage bucket updates and deletes.", "DisplayName": "GCP Cloud Storage Buckets Modified Or Deleted", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects privilege escalation attacks designed to gain access to the Cloud Build Service Account. A user with permissions to start a new build with Cloud Build can gain access to the Cloud Build Service Account and abuse it for more access to the environment.", "DisplayName": "GCP CloudBuild Potential Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloudbuild_potential_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.", "DisplayName": "GCP cloudfunctions functions create", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloudfunctions_functions_create.yml"}, {"AnalysisType": "Rule", "Description": "The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.", "DisplayName": "GCP cloudfunctions functions update", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloudfunctions_functions_update.yml"}, {"AnalysisType": "Rule", "Description": "Detects compute.instances.create method for privilege escalation in GCP.", "DisplayName": "GCP compute.instances.create Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_computeinstances_create_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "A Gmail account is being used instead of a corporate email", "DisplayName": "GCP Corporate Email Not Used", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_corp_email.yml"}, {"AnalysisType": "Rule", "Description": "Detect any destructive BigQuery queries or jobs such as update, delete, drop, alter or truncate.", "DisplayName": "GCP Destructive Queries", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_destructive_queries.yml"}, {"AnalysisType": "Rule", "Description": "Detection for GCP DNS zones that are deleted, patched, or updated.", "DisplayName": "GCP DNS Zone Modified or Deleted", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations of GCP firewall rules.", "DisplayName": "GCP Firewall Rule Created", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_firewall_rule_created.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects deletions of GCP firewall rules.", "DisplayName": "GCP Firewall Rule Deleted", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_firewall_rule_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects modifications to GCP firewall rules.", "DisplayName": "GCP Firewall Rule Modified", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_firewall_rule_modified.yml"}, {"AnalysisType": "Rule", "Description": "Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket.", "DisplayName": "GCP GCS IAM Permission Changes", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_gcs_iam_changes.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitor for any modifications or creations of a cron job in GKE. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence.", "DisplayName": "GCP GKE Kubernetes Cron Job Created Or Modified", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_cron_job_created_or_modified.yml"}, {"AnalysisType": "Rule", "Description": "A custom role has been created, deleted, or updated.", "DisplayName": "GCP IAM Role Has Changed", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml"}, {"AnalysisType": "Rule", "Description": "The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.", "DisplayName": "GCP IAM serviceAccounts getAccessToken Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_service_accounts_get_access_token_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "The iam.serviceAccounts.signBlob permission \"allows signing of arbitrary payloads\" in GCP. This means we can create a signed blob that requests an access token from the Service Account we are targeting.", "DisplayName": "GCP IAM serviceAccounts signBlob", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_service_accounts_sign_blob.yml"}, {"AnalysisType": "Rule", "Description": "Detects iam.serviceAccounts.signJwt method for privilege escalation in GCP. This method works by signing well-formed JSON web tokens (JWTs). The script for this method will sign a well-formed JWT and request a new access token belonging to the Service Account with it.", "DisplayName": "GCP IAM serviceAccounts.signJwt Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_serviceaccounts_signjwt.yml"}, {"AnalysisType": "Rule", "Description": "If your user is assigned a custom IAM role, then iam.roles.update will allow you to update the \u201cincludedPermissons\u201d on that role. Because it is assigned to you, you will gain the additional privileges, which could be anything you desire.", "DisplayName": "GCP iam.roles.update Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_roles_update_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "GCP Inbound SSO Profile Created", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_inbound_sso_profile_created_or_updated.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitors for any kubernetes API Request originating from an Indicator of Compromise.", "DisplayName": "GCP K8s IOCActivity", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_ioc_activity.yml"}, {"AnalysisType": "Rule", "Description": "Detects Daemonset creation in GCP Kubernetes clusters.", "DisplayName": "GCP K8s New Daemonset Deployed", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_new_daemonset_deployed.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections.", "DisplayName": "GCP K8s Pod Attached To Node Host Network", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_pod_attached_to_node_host_network.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement.", "DisplayName": "GCP K8S Pod Create Or Modify Host Path Volume Mount", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_pod_create_or_modify_host_path_vol_mount.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host\u2019s processes. This can offer a powerful escape hatch to the underlying host.", "DisplayName": "GCP K8s Pod Using Host PID Namespace", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_pod_using_host_pid_namespace.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when a user creates privileged pod. These particular pods have full access to the host\u2019s namespace and devices, have the ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks. In the event of a successful container escape where a user is operating with root privileges, the attacker retains this role on the node.", "DisplayName": "GCP K8S Privileged Pod Created", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_privileged_pod_created.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.", "DisplayName": "GCP K8S Service Type NodePort Deployed", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_service_type_node_port_deployed.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects deletions of GCP Log Buckets or Sinks.", "DisplayName": "GCP Log Bucket or Sink Deleted", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_log_bucket_or_sink_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects any changes made to logging settings", "DisplayName": "GCP Logging Settings Modified", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_logging_settings_modified.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects modifications to GCP Log Sinks.", "DisplayName": "GCP Logging Sink Modified", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_logging_sink_modified.yml"}, {"AnalysisType": "Rule", "Description": "Alert if a GCP Org or Folder Policy Was Changed Manually.", "DisplayName": "GCP Org or Folder Policy Was Changed Manually", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml"}, {"AnalysisType": "Rule", "Description": "Permissions granted to impersonate a service account. This includes predefined service account IAM roles granted at the parent project, folder or organization-level.", "DisplayName": "GCP Permissions Granted to Create or Manage Service Account Key", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml"}, {"AnalysisType": "Rule", "Description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection.", "DisplayName": "GCP Resource in Unused Region", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_unused_regions.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects deletions of GCP Log Buckets or Sinks.", "DisplayName": "GCP Service Account Access Denied", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_service_account_access_denied.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a service account or key is created manually by a user instead of an automated workflow.", "DisplayName": "GCP Service Account or Keys Created ", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml"}, {"AnalysisType": "Rule", "Description": "Detects serviceusage.apiKeys.create method for privilege escalation in GCP. By default, API Keys are created with no restrictions, which means they have access to the entire GCP project they were created in. We can capitalize on that fact by creating a new API key that may have more privileges than our own user.", "DisplayName": "GCP serviceusage.apiKeys.create Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_serviceusage_apikeys_create_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "Monitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server.", "DisplayName": "GCP SQL Config Changes", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_sql_config_changes.yml"}, {"AnalysisType": "Rule", "Description": "There is a feature of Cloud Storage, \u201cinteroperability\u201d, that provides a way for Cloud Storage to interact with storage offerings from other cloud providers, like AWS S3. As part of that, there are HMAC keys that can be created for both Service Accounts and regular users. We can escalate Cloud Storage permissions by creating an HMAC key for a higher-privileged Service Account.", "DisplayName": "GCP storage hmac keys create", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_storage_hmac_keys_create.yml"}, {"AnalysisType": "Rule", "Description": "A user has been granted access to a IAP protected service.", "DisplayName": "GCP User Added to IAP Protected Service", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml"}, {"AnalysisType": "Rule", "Description": "A user was added to a group with special previleges", "DisplayName": "GCP User Added to Privileged Group", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_user_added_to_privileged_group.yml"}, {"AnalysisType": "Rule", "Description": "VPC flow logs were disabled for a subnet.", "DisplayName": "GCP VPC Flow Logs Disabled", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "GCP Workforce Pool Created or Updated", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_workforce_pool_created_or_updated.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "GCP Workload Identity Pool Created or Updated", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_workload_identity_pool_created_or_updated.yml"}, {"AnalysisType": "Rule", "Description": "If your user is assigned a custom IAM role, then iam.roles.update will allow you to update the \u201cincludedPermissons\u201d on that role. Because it is assigned to you, you will gain the additional privileges, which could be anything you desire.", "DisplayName": "GCP.Iam.ServiceAccountKeys.Create", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_service_account_key_create.yml"}, {"AnalysisType": "Rule", "Description": "Detects privilege escalation in GCP by taking over the deploymentsmanager.deployments.create permission", "DisplayName": "GCP.Privilege.Escalation.By.Deployments.Create", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_privilege_escalation_by_deployments_create.yml"}, {"AnalysisType": "Rule", "Description": "Adversaries may access data objects from improperly secured cloud storage.", "DisplayName": "GCS Bucket Made Public", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_gcs_public.yml"}, {"AnalysisType": "Rule", "Description": "A monitored github action has failed.", "DisplayName": "GitHub Action Failed", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_action_failed.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Identifies when advances security change was made not to archive a repo. Eliminates false positives in the Advances Security Change Rule when the repo is archived.", "DisplayName": "GitHub Advanced Security Change WITHOUT Repo Archived", "LogTypes": ["GitHub.Audit"], "YAMLPath": "correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml"}, {"AnalysisType": "Rule", "Description": "Disabling branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.", "DisplayName": "GitHub Branch Protection Disabled", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_branch_protection_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Bypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.", "DisplayName": "GitHub Branch Protection Policy Override", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_branch_policy_override.yml"}, {"AnalysisType": "Rule", "Description": "Creates an alert if a dependabot alert is dismissed without being fixed.", "DisplayName": "GitHub Dependabot Vulnerability Dismissed", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_vulnerability_dismissed.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to GitHub org authentication changes.", "DisplayName": "GitHub Org Authentication Method Changed", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_org_auth_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to a GitHub Org IP Allow List", "DisplayName": "GitHub Org IP Allow List modified", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_org_ip_allowlist.yml"}, {"AnalysisType": "Rule", "Description": "An application integration was installed to your organization's Github account by someone in your organization.", "DisplayName": "Github Organization App Integration Installed", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_organization_app_integration_installed.yml"}, {"AnalysisType": "Rule", "Description": "A public Github repository was created.", "DisplayName": "Github Public Repository Created", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_public_repository_created.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a repository is archived.", "DisplayName": "GitHub Repository Archived", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_archived.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a repository collaborator is added or removed.", "DisplayName": "GitHub Repository Collaborator Change", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_collaborator_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a repository is created.", "DisplayName": "GitHub Repository Created", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_created.yml"}, {"AnalysisType": "Rule", "Description": "Disabling repository ruleset controls could indicate malicious use of admin credentials in an attempt to hide activity.", "DisplayName": "GitHub Repository Ruleset Modified", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_ruleset_modified.yml"}, {"AnalysisType": "Rule", "Description": "A user accepted a request to receive a transferred Github repository, a Github repository was transferred to another repository network, or a user sent a request to transfer a repository to another user or organization.", "DisplayName": "Github Repository Transfer", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repository_transfer.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an organization repository visibility changes.", "DisplayName": "GitHub Repository Visibility Change", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_visibility_change.yml"}, {"AnalysisType": "Rule", "Description": "GitHub detected a secret and created a secret scanning alert.", "DisplayName": "GitHub Secret Scanning Alert Created", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_secret_scanning_alert_created.yml"}, {"AnalysisType": "Rule", "Description": "The rule alerts when GitHub Security tools (Dependabot, Secret Scanner, etc) are disabled.", "DisplayName": "GitHub Security Change, includes GitHub Advanced Security", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_advanced_security_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a team is modified in some way, such as adding a new team, deleting a team, modifying members, or a change in repository control.", "DisplayName": "GitHub Team Modified", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_team_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a GitHub user access key is created.", "DisplayName": "GitHub User Access Key Created", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_user_access_key_created.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user is added or removed from a GitHub Org.", "DisplayName": "GitHub User Added or Removed from Org", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_org_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user is added to a GitHub org's list of moderators.", "DisplayName": "GitHub User Added to Org Moderators", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_org_moderators_add.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user initially accesses a private organization repository.", "DisplayName": "GitHub User Initial Access to Private Repo", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_initial_access.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a GitHub user role is upgraded to an admin or downgraded to a member", "DisplayName": "GitHub User Role Updated", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_user_role_updated.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a webhook is added, modified, or deleted", "DisplayName": "GitHub Web Hook Modified", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_webhook_modified.yml"}, {"AnalysisType": "Rule", "Description": "Google accessed one of your GSuite resources directly, most likely in response to a support incident.", "DisplayName": "Google Accessed a GSuite Resource", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_google_access.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Scheduled rule for the High Google Drive Download Count query which looks for incidents of more than 10 (tunable) downloads by a user in the past day.", "DisplayName": "Google Drive High Download Count", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "queries/gsuite_queries/gsuite_drive_many_docs_downloaded.yml"}, {"AnalysisType": "Rule", "Description": "A Google Workspace administrator created a new custom administrator role.", "DisplayName": "Google Workspace Admin Custom Role", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml"}, {"AnalysisType": "Rule", "Description": "Your organization's Google Workspace Advanced Protection Program settings were modified.", "DisplayName": "Google Workspace Advanced Protection Program", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml"}, {"AnalysisType": "Rule", "Description": "Google Workspace Marketplace application allowlist settings were modified.", "DisplayName": "Google Workspace Apps Marketplace Allowlist", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml"}, {"AnalysisType": "Rule", "Description": "A Google Workspace User configured a new domain application from the Google Workspace Apps Marketplace.", "DisplayName": "Google Workspace Apps Marketplace New Domain Application", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml"}, {"AnalysisType": "Rule", "Description": "A new mobile application was added to your organization's mobile apps whitelist in Google Workspace Apps.", "DisplayName": "Google Workspace Apps New Mobile App Installed", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml"}, {"AnalysisType": "Rule", "Description": "A User or Admin Has Modified A Calendar To Be Public", "DisplayName": "GSuite Calendar Has Been Made Public", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_calendar_made_public.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported a suspicious activity on a user's device.", "DisplayName": "GSuite Device Suspicious Activity", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.yml"}, {"AnalysisType": "Rule", "Description": "A GSuite document's ownership was transferred to an external party.", "DisplayName": "GSuite Document External Ownership Transfer", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Scheduled rule for the GSuite Drive Many Documents Deleted query. Looks for users who have deleted more than 10 (tunable) documents the past day.", "DisplayName": "GSuite Drive Many Documents Deleted", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "queries/gsuite_queries/gsuite_drive_many_docs_deleted.yml"}, {"AnalysisType": "Rule", "Description": "A Google drive resource became externally accessible.", "DisplayName": "GSuite External Drive Document", "LogTypes": ["GSuite.Reports"], "YAMLPath": "rules/gsuite_reports_rules/gsuite_drive_visibility_change.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported that it detected a government backed attack against your account.", "DisplayName": "GSuite Government Backed Attack", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_gov_attack.yml"}, {"AnalysisType": "Rule", "Description": "A login of a non-approved type was detected for this user.", "DisplayName": "GSuite Login Type", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_login_type.yml"}, {"AnalysisType": "Rule", "Description": "A user has configured mail forwarding to an external domain", "DisplayName": "Gsuite Mail forwarded to external domain", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Query to search for a user deleting many documents.", "DisplayName": "GSuite Many Docs Deleted Query", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "queries/gsuite_queries/GSuite_Many_Docs_Deleted_Query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Query to search high document download counts by users.", "DisplayName": "GSuite Many Docs Downloaded Query", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "queries/gsuite_queries/GSuite_Many_Docs_Downloaded_Query.yml"}, {"AnalysisType": "Rule", "Description": "A Google drive resource that is overly visible has been modified.", "DisplayName": "GSuite Overly Visible Drive Document", "LogTypes": ["GSuite.Reports"], "YAMLPath": "rules/gsuite_reports_rules/gsuite_drive_overly_visible.yml"}, {"AnalysisType": "Rule", "Description": "A GSuite rule was triggered.", "DisplayName": "GSuite Passthrough Rule Triggered", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_passthrough_rule.yml"}, {"AnalysisType": "Rule", "Description": "A user disabled advanced protection for themselves.", "DisplayName": "GSuite User Advanced Protection Change", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_advanced_protection.yml"}, {"AnalysisType": "Rule", "Description": "A GSuite user was banned from an enterprise group by moderator action.", "DisplayName": "GSuite User Banned from Group", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_group_banned_user.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported a user's device has been compromised.", "DisplayName": "GSuite User Device Compromised", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.yml"}, {"AnalysisType": "Rule", "Description": "Someone failed to unlock a user's device multiple times in quick succession.", "DisplayName": "GSuite User Device Unlock Failures", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported a user's password has been compromised, so they disabled the account.", "DisplayName": "GSuite User Password Leaked", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_leaked_password.yml"}, {"AnalysisType": "Rule", "Description": "A GSuite user was suspended, the account may have been compromised by a spam network.", "DisplayName": "GSuite User Suspended", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_user_suspended.yml"}, {"AnalysisType": "Rule", "Description": "A user disabled two step verification for themselves.", "DisplayName": "GSuite User Two Step Verification Change", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_two_step_verification.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Changed The Sharing Settings for Primary Calendars", "DisplayName": "GSuite Workspace Calendar External Sharing Setting Change", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_calendar_external_sharing.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Created a Data Export", "DisplayName": "GSuite Workspace Data Export Has Been Created", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_data_export_created.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Modified A Default Routing Rule In Gmail", "DisplayName": "GSuite Workspace Gmail Default Routing Rule Modified", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_gmail_default_routing_rule.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Disabled Pre-Delivery Scanning For Gmail.", "DisplayName": "GSuite Workspace Gmail Pre-Delivery Message Scanning Disabled", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_gmail_enhanced_predelivery_scanning.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Disabled The Security Sandbox", "DisplayName": "GSuite Workspace Gmail Security Sandbox Disabled", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_gmail_security_sandbox_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Enabled Password Reuse", "DisplayName": "GSuite Workspace Password Reuse Has Been Enabled", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_password_reuse_enabled.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Disabled The Enforcement Of Strong Passwords", "DisplayName": "GSuite Workspace Strong Password Enforcement Has Been Disabled", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_password_enforce_strong_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Modified The Trusted Domains List", "DisplayName": "GSuite Workspace Trusted Domain Allowlist Modified", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_trusted_domains_allowlist.yml"}, {"AnalysisType": "Rule", "Description": "An IAM role policy was attached with Administrator Access, which could indicate a potential security risk.", "DisplayName": "IAM Administrator Role Policy Attached", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_attach_admin_role_policy.yml"}, {"AnalysisType": "Rule", "Description": "A user assumed a role that was explicitly blocklisted for manual user assumption.", "DisplayName": "IAM Assume Role Blocklist Ignored", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml"}, {"AnalysisType": "Rule", "Description": "A change occurred in the IAM configuration. This could be a resource being created, deleted, or modified. This is a high level view of changes, helfpul to indicate how dynamic a certain IAM environment is.", "DisplayName": "IAM Change", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_anything_changed.yml"}, {"AnalysisType": "Rule", "Description": "An IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly.", "DisplayName": "IAM Entity Created Without CloudFormation", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM entities (Groups, Roles, and Users) do not have inline policies attached that grant network admin privileges. Inline policies are more difficult to track and audit than managed policies, and can lead to persistent unexpected access.", "DisplayName": "IAM Inline Policy Network Admin", "LogTypes": ["AWS.IAM.Group", "AWS.IAM.Role", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.yml"}, {"AnalysisType": "Rule", "Description": "An IAM Policy was changed.", "DisplayName": "IAM Policy Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_policy_modified.yml"}, {"AnalysisType": "Rule", "Description": "An IAM role was created.", "DisplayName": "IAM Role Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_create_role.yml"}, {"AnalysisType": "Rule", "Description": "An IAM role policy was updated to allow internet access, which could indicate a backdoor.", "DisplayName": "IAM Role Policy Updated to Allow Internet Access", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_backdoor_role.yml"}, {"AnalysisType": "Rule", "Description": "An IAM user was created, which could indicate a new user creation or policy update.", "DisplayName": "IAM User Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_create_user.yml"}, {"AnalysisType": "Rule", "Description": "An IAM user policy was attached with Administrator Access, which could indicate a potential security risk.", "DisplayName": "IAM User Policy Attached with Administrator Access", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_attach_admin_user_policy.yml"}, {"AnalysisType": "Rule", "Description": "A user has subsequent logins from two geographic locations that are very far apart", "DisplayName": "Impossible Travel for Login Action", "LogTypes": ["AWS.CloudTrail", "Asana.Audit", "Notion.AuditLogs", "Okta.SystemLog"], "YAMLPath": "rules/standard_rules/impossible_travel_login.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any kubernetes API Request originating from an Indicator of Compromise.", "DisplayName": "IOC Activity in K8 Control Plane", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_ioc_activity_query.yml"}, {"AnalysisType": "Rule", "Description": "A KMS Customer Managed Key was disabled or scheduled for deletion. This could potentially lead to permanent loss of encrypted data.", "DisplayName": "KMS CMK Disabled or Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_kms_cmk_loss.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitor for any modifications or creations of a cron job. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence.", "DisplayName": "Kubernetes Cron Job Created or Modified", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_cron_job_created_or_modified_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any pod created in pre-configured or default namespaces. Only Cluster Admins should be creating pods in the kube-system namespace, and it is best practice not to run any cluster critical infrastructure here. The kube-public namespace is intended to be readable by unauthenticated users. The default namespace is shipped with the cluster and it is best practice not to deploy production workloads here. These namespaces may be used to evade defenses or hide attacker infrastructure.", "DisplayName": "Kubernetes Pod Created in Pre-Configured or Default Name Spaces", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_in_default_name_space_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.", "DisplayName": "Kubernetes Service with Type Node Port Deployed", "LogTypes": [], "YAMLPath": "queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml"}, {"AnalysisType": "Rule", "Description": "Unauthorized lambda Create, Read, Update, or Delete event occurred.", "DisplayName": "Lambda CRUD Actions", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_lambda_crud.yml"}, {"AnalysisType": "Rule", "Description": "Identifies when the code of a Lambda function is updated, which could indicate a potential security risk.", "DisplayName": "Lambda Update Function Code", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_overwrite_lambda_code.yml"}, {"AnalysisType": "Rule", "Description": "Identifies when a Lambda function configuration is updated with layers, which could indicate a potential security risk.", "DisplayName": "Lambda Update Function Configuration with Layers", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_add_malicious_lambda_extension.yml"}, {"AnalysisType": "Rule", "Description": "A console login was made without multi-factor authentication.", "DisplayName": "Logins Without MFA", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_login_without_mfa.yml"}, {"AnalysisType": "Rule", "Description": "An AWS console login was made without SAML/SSO.", "DisplayName": "Logins Without SAML", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_login_without_saml.yml"}, {"AnalysisType": "Rule", "Description": "The application level firewall blocks unwanted network connections made to your computer from other computers on your network.", "DisplayName": "MacOS ALF is misconfigured", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_application_firewall.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects processes that contain known browser credential files in arguments.", "DisplayName": "MacOS Browser Credential Access", "LogTypes": [], "YAMLPath": "queries/crowdstrike_queries/MacOS_Browser_Credential_Access.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects processes that contain known browser credential files in arguments. (crowdstrike_fdrevent table)", "DisplayName": "MacOS Browser Credential Access (crowdstrike_fdrevent table)", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "queries/crowdstrike_queries/MacOS_Browser_Credential_Access_FDREvent.yml"}, {"AnalysisType": "Rule", "Description": "A Key Logger has potentially been detected on a macOS system", "DisplayName": "MacOS Keyboard Events", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_osx_attacks_keyboard_events.yml"}, {"AnalysisType": "Rule", "Description": "Malware has potentially been detected on a macOS system", "DisplayName": "macOS Malware Detected with osquery", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_osx_attacks.yml"}, {"AnalysisType": "Rule", "Description": "Box has detect malicious content, such as a virus.", "DisplayName": "Malicious Content Detected", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_malicious_content.yml"}, {"AnalysisType": "Rule", "Description": "The rule looks for DNS requests to sites potentially posing as SSO domains.", "DisplayName": "Malicious SSO DNS Lookup", "LogTypes": ["CiscoUmbrella.DNS", "Crowdstrike.DNSRequest", "Crowdstrike.FDREvent", "Suricata.DNS", "Zeek.DNS"], "YAMLPath": "rules/standard_rules/malicious_sso_dns_lookup.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Multi-Factor Authentication (MFA) is disabled", "DisplayName": "MFA Disabled", "LogTypes": ["Atlassian.Audit", "GitHub.Audit", "Okta.SystemLog", "Zendesk.Audit"], "YAMLPath": "rules/standard_rules/mfa_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Detects creation of forwarding rule to external domains", "DisplayName": "Microsoft Exchange External Forwarding", "LogTypes": ["Microsoft365.Audit.Exchange"], "YAMLPath": "rules/microsoft_rules/microsoft_exchange_external_forwarding.yml"}, {"AnalysisType": "Rule", "Description": "The Microsoft Graph security API federates queries to all onboarded security providers, including Azure AD Identity Protection, Microsoft 365, Microsoft Defender (Cloud, Endpoint, Identity) and Microsoft Sentinel", "DisplayName": "Microsoft Graph Passthrough", "LogTypes": ["MicrosoftGraph.SecurityAlert"], "YAMLPath": "rules/microsoft_rules/microsoft_graph_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "A Microsoft365 user was denied login access several times", "DisplayName": "Microsoft365 Brute Force Login by User", "LogTypes": ["Microsoft365.Audit.AzureActiveDirectory"], "YAMLPath": "rules/microsoft_rules/microsoft365_brute_force_login_by_user.yml"}, {"AnalysisType": "Rule", "Description": "Document shared externally", "DisplayName": "Microsoft365 External Document Sharing", "LogTypes": ["Microsoft365.Audit.SharePoint"], "YAMLPath": "rules/microsoft_rules/microsoft365_external_sharing.yml"}, {"AnalysisType": "Rule", "Description": "A user's MFA has been removed", "DisplayName": "Microsoft365 MFA Disabled", "LogTypes": ["Microsoft365.Audit.AzureActiveDirectory"], "YAMLPath": "rules/microsoft_rules/microsoft365_mfa_disabled.yml"}, {"AnalysisType": "Rule", "Description": "2FA was disabled.", "DisplayName": "MongoDB 2FA Disabled", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_2fa_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Atlas only allows client connections to the database deployment from entries in the project's IP access list. This rule detects when 0.0.0.0/0 is added to that list, which allows access from anywhere.", "DisplayName": "MongoDB access allowed from anywhere", "LogTypes": ["MongoDB.ProjectEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_access_allowed_from_anywhere.yml"}, {"AnalysisType": "Rule", "Description": "A MongoDB Atlas api key's access list was updated", "DisplayName": "MongoDB Atlas API Key Created", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_atlas_api_key_created.yml"}, {"AnalysisType": "Rule", "Description": "An external user has been invited to a MongoDB org.", "DisplayName": "MongoDB External User Invited", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_external_user_invited.yml"}, {"AnalysisType": "Rule", "Description": "An external user has been invited to a MongoDB org (no config).", "DisplayName": "MongoDB External User Invited (no config)", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_external_user_invited_no_config.yml"}, {"AnalysisType": "Rule", "Description": "Changes to identity provider settings are privileged activities that should be carefully audited. Attackers may add or change IDP integrations to gain persistence to environments", "DisplayName": "MongoDB Identity Provider Activity", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_identity_provider_activity.yml"}, {"AnalysisType": "Rule", "Description": "MongoDB logging toggled", "DisplayName": "MongoDB logging toggled", "LogTypes": ["MongoDB.ProjectEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_logging_toggled.yml"}, {"AnalysisType": "Rule", "Description": "You can configure Atlas to require API access lists at the organization level. When you enable IP access list for the Atlas Administration API, all API calls in that organization must originate from a valid entry in the associated Atlas Administration API key access list. This rule detects when IP access list is disabled", "DisplayName": "MongoDB org membership restriction disabled", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_org_membership_restriction_disabled.yml"}, {"AnalysisType": "Rule", "Description": "MongoDB provides security alerting policies for notifying admins when certain conditions are met. This rule detects when these policies are disabled or deleted.", "DisplayName": "MongoDB security alerts disabled or deleted", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_alerting_disabled.yml"}, {"AnalysisType": "Rule", "Description": "User roles changed.", "DisplayName": "MongoDB user roles changed", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_user_roles_changed.yml"}, {"AnalysisType": "Rule", "Description": "User was created or deleted.", "DisplayName": "MongoDB user was created or deleted", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_user_created_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "An unauthorized AWS API call was made", "DisplayName": "Monitor Unauthorized API Calls", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml"}, {"AnalysisType": "Rule", "Description": "A user deleted a large number of objects in a short period of time.", "DisplayName": "Netskope Many Objects Deleted", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_many_deletes.yml"}, {"AnalysisType": "Rule", "Description": "Many unauthorized API calls were observed for a user in a short period of time.", "DisplayName": "Netskope Many Unauthorized API Calls", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_unauthorized_api_calls.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a new admission controller being created in the cluster. Admission controllers allows an attack to intercept all API requests made within a cluster, allowing for enumeration of resources and common actions. This can be a very powerful tool to understand where to pivot to next.", "DisplayName": "New Admission Controller Created", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_admission_controller_created_query.yml"}, {"AnalysisType": "Rule", "Description": "A new AWS account was created", "DisplayName": "New AWS Account Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/indicator_creation_rules/new_aws_account_logging.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a new DaemonSet deployed to a kubernetes cluster. A daemonset is a workload that guarantees the presence of exactly one instance of a specific pod on every node in the cluster. This can be a very powerful tool for establishing peristence.", "DisplayName": "New DaemonSet Deployed to Kubernetes", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_new_daemonset_deployed_query.yml"}, {"AnalysisType": "Rule", "Description": "A console password, access key, or user has been created.", "DisplayName": "New IAM Credentials Updated", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_update_credentials.yml"}, {"AnalysisType": "Rule", "Description": "A new account was created", "DisplayName": "New User Account Created", "LogTypes": ["AWS.CloudTrail", "OneLogin.Events", "Zoom.Operation"], "YAMLPath": "rules/indicator_creation_rules/new_user_account_logging.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User exported audit logs for your organization\u2019s workspace.", "DisplayName": "Notion Audit Log Exported", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_workspace_audit_log_exported.yml"}, {"AnalysisType": "Correlation Rule", "Description": "A Notion User logged in then changed their account details.", "DisplayName": "Notion Login FOLLOWED BY AccountChange", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "correlation_rules/notion_login_followed_by_account_change.yml"}, {"AnalysisType": "Rule", "Description": "A user attempted to access Notion from a blocked IP address. Note: before deployinh, make sure to add Rule Filters checking if event.ip_address is in a certain CIDR range(s).", "DisplayName": "Notion Login From Blocked IP", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_login_from_blocked_ip.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User logged in from a new location.", "DisplayName": "Notion Login from New Location", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_login_from_new_location.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "A Notion User deleted multiple pages, which were not created or restored from the trash within the same hour.", "DisplayName": "Notion Many Pages Deleted", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "queries/notion_queries/notion_many_pages_deleted_sched.yml"}, {"AnalysisType": "Scheduled Query", "Description": "A Notion User deleted multiple pages, which were not created or restored from the trash within the same hour.", "DisplayName": "Notion Many Pages Deleted Query", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "queries/notion_queries/notion_many_pages_deleted_query.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User exported multiple pages.", "DisplayName": "Notion Many Pages Exported", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_many_pages_exported.yml"}, {"AnalysisType": "Rule", "Description": "A new API integration was added to a Notion page, or it's permissions were changed.", "DisplayName": "Notion Page API Permissions Changed", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_page_accessible_to_api.yml"}, {"AnalysisType": "Rule", "Description": "The external guest permissions for a Notion page have been altered.", "DisplayName": "Notion Page Guest Permissions Changed", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_page_accessible_to_guests.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User published a page to the web.", "DisplayName": "Notion Page Published to Web", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_page_shared_to_web.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User changed settings to enforce SAML SSO configurations for your organization.", "DisplayName": "Notion SAML SSO Configuration Changed", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User generated a SCIM token.", "DisplayName": "Notion SCIM Token Generated", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_scim_token_generated.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User enabled sharing for a Workspace or Teamspace.", "DisplayName": "Notion Sharing Settings Updated", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_sharing_settings_updated.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User was added as a Teamspace owner.", "DisplayName": "Notion Teamspace Owner Added", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_teamspace_owner_added.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User exported an existing workspace.", "DisplayName": "Notion Workspace Exported", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_workspace_exported.yml"}, {"AnalysisType": "Rule", "Description": "A Notion page was set to public in your worksace.", "DisplayName": "Notion Workspace public page added", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_workspace_settings_public_homepage_added.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Audit instances of admin access granted in your okta tenant", "DisplayName": "Okta Admin Access Granted", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_admin_access_granted.yml"}, {"AnalysisType": "Rule", "Description": "A user has been granted administrative privileges in Okta", "DisplayName": "Okta Admin Role Assigned", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_admin_role_assigned.yml"}, {"AnalysisType": "Rule", "Description": "Okta FastPass detected a user targeted by attackers wielding real-time (AiTM) proxies.", "DisplayName": "Okta AiTM Phishing Attempt Blocked by FastPass", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_phishing_attempt_blocked_by_fastpass.yml"}, {"AnalysisType": "Rule", "Description": "A user created an API Key in Okta", "DisplayName": "Okta API Key Created", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_api_key_created.yml"}, {"AnalysisType": "Rule", "Description": "A user has revoked an API Key in Okta", "DisplayName": "Okta API Key Revoked", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_api_key_revoked.yml"}, {"AnalysisType": "Rule", "Description": "When a client wants to renew an access token, it sends the refresh token with the access token request to the /token Okta endpoint.Okta validates the incoming refresh token, issues a new set of tokens and invalidates the refresh token that was passed with the initial request.This detection alerts when a previously used refresh token is used again with the token request", "DisplayName": "Okta App Refresh Access Token Reuse", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_app_refresh_access_token_reuse.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user is denied access to an Okta application", "DisplayName": "Okta App Unauthorized Access Attempt", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_app_unauthorized_access_attempt.yml"}, {"AnalysisType": "Rule", "Description": "An application admin has extracted cleartext user passwords via SCIM app. Malcious actors can extract plaintext passwords by creating a SCIM application under their control and configuring it to sync passwords from Okta.", "DisplayName": "Okta Cleartext Passwords Extracted via SCIM Application", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_password_extraction_via_scim.yml"}, {"AnalysisType": "Rule", "Description": "Detect when an admin role is assigned to a group", "DisplayName": "Okta Group Admin Role Assigned", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_group_admin_role_assigned.yml"}, {"AnalysisType": "Saved Query", "Description": "https://sec.okta.com/harfiles", "DisplayName": "Okta HAR File IOCs", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_harfile_iocs.yml"}, {"AnalysisType": "Rule", "Description": "A new 3rd party Identity Provider has been created or modified. Attackers have been observed configuring a second Identity Provider to act as an \"impersonation app\" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a \u201csource\u201d IdP in an inbound federation relationship (sometimes called \u201cOrg2Org\u201d) with the target.", "DisplayName": "Okta Identity Provider Created or Modified", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_idp_create_modify.yml"}, {"AnalysisType": "Rule", "Description": "A user has signed in using a 3rd party Identity Provider. Attackers have been observed configuring a second Identity Provider to act as an \"impersonation app\" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a \u201csource\u201d IdP in an inbound federation relationship (sometimes called \u201cOrg2Org\u201d) with the target. From this \u201csource\u201d IdP, the threat actor manipulated the username parameter for targeted users in the second \u201csource\u201d Identity Provider to match a real user in the compromised \u201ctarget\u201d Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user. Do not use this rule if your organization uses legitimate 3rd-party Identity Providers.", "DisplayName": "Okta Identity Provider Sign-in", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_idp_signin.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Investigate Password and MFA resets for the last 7 days", "DisplayName": "Okta Investigate MFA and Password resets", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_mfa_password_reset_audit.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Search for activity related to a specific SessionID in Okta panther_logs.okta_systemlog", "DisplayName": "Okta Investigate Session ID Activity", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_session_id_audit.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Audit user activity across your environment. Customize to filter on specific users, time ranges, etc", "DisplayName": "Okta Investigate User Activity", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_activity_audit.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Okta Logins from an IP Address not found in CrowdStrike's AIP List", "DisplayName": "Okta Login From CrowdStrike Unmanaged Device", "LogTypes": ["Crowdstrike.AIDMaster", "Okta.SystemLog"], "YAMLPath": "queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_Query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Okta Logins from an IP Address not found in CrowdStrike's AIP List (crowdstrike_fdrevent table)", "DisplayName": "Okta Login From CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)", "LogTypes": ["Crowdstrike.FDREvent", "Okta.SystemLog"], "YAMLPath": "queries/okta_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_FDREvent.yml"}, {"AnalysisType": "Rule", "Description": "An admin user has disabled the MFA requirement for your Okta account", "DisplayName": "Okta MFA Globally Disabled", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_admin_disabled_mfa.yml"}, {"AnalysisType": "Rule", "Description": "New Behaviors Observed while Accessing Okta Admin Console. A user attempted to access the Okta Admin Console from a new device with a new IP.", "DisplayName": "Okta New Behaviors Acessing Admin Console", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_new_behavior_accessing_admin_console.yml"}, {"AnalysisType": "Rule", "Description": "An Okta Org2Org application has been created or modified. Okta's Org2Org applications instances are used to push and match users from one Okta organization to another. A malicious actor can add an Org2Org application instance and create a user in the source organization (controlled by the attacker) with the same identifier as a Super Administrator in the target organization.", "DisplayName": "Okta Org2Org application created of modified", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_org2org_creation_modification.yml"}, {"AnalysisType": "Rule", "Description": "User accessed another user's application password", "DisplayName": "Okta Password Accessed", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_password_accessed.yml"}, {"AnalysisType": "Rule", "Description": "This rule looks for the same session being used from two devices, indicating a compromised session token.", "DisplayName": "Okta Potentially Stolen Session", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_potentially_stolen_session.yml"}, {"AnalysisType": "Rule", "Description": "Potential DoS/Bruteforce attack or hitting limits (system degradation)", "DisplayName": "Okta Rate Limits", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_rate_limits.yml"}, {"AnalysisType": "Rule", "Description": "A user is attempting to sign-in to Okta from a known VPN anonymizer. The threat actor would access the compromised account using anonymizing proxy services.", "DisplayName": "Okta Sign-In from VPN Anonymizer", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_anonymizing_vpn_login.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Show instances that Okta support was granted to your account", "DisplayName": "Okta Support Access", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_support_access.yml"}, {"AnalysisType": "Rule", "Description": "An admin user has granted access to Okta Support to your account", "DisplayName": "Okta Support Access Granted", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_account_support_access.yml"}, {"AnalysisType": "Rule", "Description": "A Password or MFA factor was reset by Okta Support", "DisplayName": "Okta Support Reset Credential", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_support_reset.yml"}, {"AnalysisType": "Rule", "Description": "Okta ThreatInsight identified request from potentially malicious IP address", "DisplayName": "Okta ThreatInsight Security Threat Detected", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_threatinsight_security_threat_detected.yml"}, {"AnalysisType": "Rule", "Description": "An Okta user has locked their account.", "DisplayName": "Okta User Account Locked", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_account_locked.yml"}, {"AnalysisType": "Rule", "Description": "Suspend factor or authenticator enrollment method for user.", "DisplayName": "Okta User MFA Factor Suspend", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_mfa_factor_suspend.yml"}, {"AnalysisType": "Rule", "Description": "User has reset one of their own MFA factors", "DisplayName": "Okta User MFA Own Reset", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_mfa_reset.yml"}, {"AnalysisType": "Rule", "Description": "All MFA factors have been reset for a user.", "DisplayName": "Okta User MFA Reset All", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_mfa_reset_all.yml"}, {"AnalysisType": "Rule", "Description": "Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.This detection alerts when a user marks the raised activity as suspicious.", "DisplayName": "Okta User Reported Suspicious Activity", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_reported_suspicious_activity.yml"}, {"AnalysisType": "Saved Query", "Description": "On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication. Customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024. https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/", "DisplayName": "Okta Username Above 52 Characters Security Advisory", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_52_char_username_threat_hunt.yml"}, {"AnalysisType": "Rule", "Description": "Multiple user accounts logged in from the same ip address.", "DisplayName": "OneLogin Active Login Activity", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_active_login_activity.yml"}, {"AnalysisType": "Rule", "Description": "A user removed an authentication factor or otp device.", "DisplayName": "OneLogin Authentication Factor Removed", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_remove_authentication_factor.yml"}, {"AnalysisType": "Rule", "Description": "A OneLogin attempt with a high risk factor (>50) resulted in a failed authentication.", "DisplayName": "OneLogin Failed High Risk Login", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_high_risk_failed_login.yml"}, {"AnalysisType": "Correlation Rule", "Description": "A OneLogin user successfully logged in after a failed high-risk login attempt.", "DisplayName": "OneLogin High Risk Failed Login FOLLOWED BY Successful Login", "LogTypes": ["OneLogin.Events"], "YAMLPath": "correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml"}, {"AnalysisType": "Rule", "Description": "Possible Denial of Service detected. Threshold for user account deletions exceeded.", "DisplayName": "OneLogin Multiple Accounts Deleted", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_threshold_accounts_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Possible Denial of Service detected. Threshold for user account password changes exceeded.", "DisplayName": "OneLogin Multiple Accounts Modified", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_threshold_accounts_modified.yml"}, {"AnalysisType": "Rule", "Description": "User accessed another user's application password", "DisplayName": "OneLogin Password Access", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_password_accessed.yml"}, {"AnalysisType": "Rule", "Description": "A OneLogin user was denied access to an app more times than the configured threshold.", "DisplayName": "OneLogin Unauthorized Access", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_unauthorized_access.yml"}, {"AnalysisType": "Rule", "Description": "User assumed another user account", "DisplayName": "OneLogin User Assumed Another User", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_user_assumed.yml"}, {"AnalysisType": "Rule", "Description": "User locked or suspended from their account.", "DisplayName": "OneLogin User Locked", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_user_account_locked.yml"}, {"AnalysisType": "Rule", "Description": "A user password was updated.", "DisplayName": "OneLogin User Password Changed", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_password_changed.yml"}, {"AnalysisType": "Rule", "Description": "Keep track of osquery versions, current is 5.10.2.", "DisplayName": "Osquery Agent Outdated", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_outdated.yml"}, {"AnalysisType": "Rule", "Description": "Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment.", "DisplayName": "OSQuery Detected SSH Listener", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_ssh_listener.yml"}, {"AnalysisType": "Rule", "Description": "Monitor for chrome extensions that could lead to a credential compromise.", "DisplayName": "OSQuery Detected Unwanted Chrome Extensions", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml"}, {"AnalysisType": "Rule", "Description": "Verifies that MacOS has automatic software updates enabled.", "DisplayName": "OSQuery Reports Application Firewall Disabled", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_enable_auto_update.yml"}, {"AnalysisType": "Rule", "Description": "Checks if any results are returned for the Osquery OSSEC Rootkit pack.", "DisplayName": "OSSEC Rootkit Detected via Osquery", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_ossec.yml"}, {"AnalysisType": "Rule", "Description": "An Admin has modified Panther's SAML configuration.", "DisplayName": "Panther SAML configuration has been modified", "LogTypes": ["Panther.Audit"], "YAMLPath": "rules/panther_audit_rules/panther_saml_modified.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections.", "DisplayName": "Pod attached to the Node Host Network", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any pod creation or modification using the host IPC Namespace. Deploying pods in the Host IPC Namespace, breaks isolation between the pod and the underlying host meaning the pod has direct access to the same IPC objects and communications channels as the host system.", "DisplayName": "Pod Created or Modified Using the Host IPC Namespace", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host\u2019s processes. This can offer a powerful escape hatch to the underlying host.", "DisplayName": "Pod Created or Modified Using the Host PID Namespace", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a pod created with overly permissive linux capabilities. Excessive pod permissions and capabilities can be a launch point for privilege escalation or container breakout.", "DisplayName": "Pod Created with Overly Permissive Linux Capabilities", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement.", "DisplayName": "Pod creation or modification to a Host Path Volume Mount", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a privileged pod is created either by default or with permissions to run as root. These particular pods have full access to the hosts namespace and devices, ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks.", "DisplayName": "Privileged Pod Created", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_privileged_pod_created_query.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security App Banner Acknowledged", "LogTypes": ["PushSecurity.Activity"], "YAMLPath": "rules/push_security_rules/push_security_app_banner_acknowledged.yml"}, {"AnalysisType": "Rule", "Description": "Login to application with unauthorized identity provider which could indicate a SAMLjacking attack.", "DisplayName": "Push Security Authorized IdP Login", "LogTypes": ["PushSecurity.Activity"], "YAMLPath": "rules/push_security_rules/push_security_authorized_idp_login.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security New App Detected", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_new_app_detected.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security New SaaS Account Created", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_new_saas_account_created.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security Open Security Finding", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_open_security_finding.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security Phishable MFA Method", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_phishable_mfa_method.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security Phishing Attack", "LogTypes": ["PushSecurity.Controls"], "YAMLPath": "rules/push_security_rules/push_security_phishing_attack.yml"}, {"AnalysisType": "Rule", "Description": "MFA method on SaaS app changed", "DisplayName": "Push Security SaaS App MFA Method Changed", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_mfa_method_changed.yml"}, {"AnalysisType": "Rule", "Description": "Login to application with unauthorized identity provider which could indicate a SAMLjacking attack.", "DisplayName": "Push Security Unauthorized IdP Login", "LogTypes": ["PushSecurity.Activity"], "YAMLPath": "rules/push_security_rules/push_security_unauthorized_idp_login.yml"}, {"AnalysisType": "Scheduled Query", "Description": "RoleAssumes with multiple Useragents could indicate compromised credentials.", "DisplayName": "RoleAssumes by Multiple Useragents", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/anomalous_role_assume_query.yml"}, {"AnalysisType": "Rule", "Description": "An access key was created for the Root account", "DisplayName": "Root Account Access Key Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_root_access_key_created.yml"}, {"AnalysisType": "Rule", "Description": "Root account activity was detected.", "DisplayName": "Root Account Activity", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_root_activity.yml"}, {"AnalysisType": "Rule", "Description": "The root account has been logged into.", "DisplayName": "Root Console Login", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_root_login.yml"}, {"AnalysisType": "Rule", "Description": "Someone manually changed the Root console login password.", "DisplayName": "Root Password Changed", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_root_password_changed.yml"}, {"AnalysisType": "Rule", "Description": "A S3 Bucket, Policy, or Website was deleted", "DisplayName": "S3 Bucket Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_s3_bucket_deleted.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that S3 bucket policies with service principals include conditions to prevent the confused deputy problem.", "DisplayName": "S3 Bucket Policy Confused Deputy Protection for Service Principals", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_policy_confused_deputy.yml"}, {"AnalysisType": "Rule", "Description": "Salesforce detection that alerts when an admin logs in as another user.", "DisplayName": "Salesforce Admin Login As User", "LogTypes": ["Salesforce.LoginAs"], "YAMLPath": "rules/salesforce_rules/salesforce_admin_login_as_user.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a large number of secrets requests by a single user. This could potentially indicate secret enumeration, which can potentially enable lateral or vertical movement and unauthorized access to critical resources.", "DisplayName": "Secret Enumeration by a User", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_secret_enumeration_query.yml"}, {"AnalysisType": "Correlation Rule", "Description": "The rule detects when a GitHub Secret Scan detects an exposed secret, which is not followed by the expected quarantine operation in AWS. When you make a repository public, or push changes to a public repository, GitHub always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them.", "DisplayName": "Secret Exposed and not Quarantined", "LogTypes": ["AWS.CloudTrail", "GitHub.Audit"], "YAMLPath": "correlation_rules/secret_exposed_and_not_quarantined.yml"}, {"AnalysisType": "Policy", "Description": "AWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data.", "DisplayName": "Sensitive AWS CloudWatch Log Encryption", "LogTypes": ["AWS.CloudWatch.LogGroup"], "YAMLPath": "policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.yml"}, {"AnalysisType": "Rule", "Description": "SentinelOne Alert Passthrough", "DisplayName": "SentinelOne Alert Passthrough", "LogTypes": ["SentinelOne.Activity"], "YAMLPath": "rules/sentinelone_rules/sentinelone_alert_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "Passthrough SentinelOne Threats", "DisplayName": "SentinelOne Threats", "LogTypes": ["SentinelOne.Activity"], "YAMLPath": "rules/sentinelone_rules/sentinelone_threats.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an entity signs in from a nation associated with cyber attacks", "DisplayName": "Sign In from Rogue State", "LogTypes": ["AWS.CloudTrail", "Asana.Audit", "Atlassian.Audit", "Azure.Audit", "Box.Event", "Notion.AuditLogs", "Okta.SystemLog", "OneLogin.Events", "OnePassword.SignInAttempt", "Zendesk.Audit", "Zoom.Activity"], "YAMLPath": "rules/standard_rules/sign_in_from_rogue_state.yml"}, {"AnalysisType": "Rule", "Description": "Passthrough for anomalies detected by Slack", "DisplayName": "Slack Anomaly Detected", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_passthrough_anomaly.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack App has had its permission scopes expanded", "DisplayName": "Slack App Access Expanded", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_app_access_expanded.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack App has been added to a workspace", "DisplayName": "Slack App Added", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_app_added.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack App has been removed", "DisplayName": "Slack App Removed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_app_removed.yml"}, {"AnalysisType": "Rule", "Description": "Detects when slack admin invalidates user session(s). If it happens more than once in a 24 hour period it can lead to DoS", "DisplayName": "Slack Denial of Service", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_application_dos.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Data Loss Prevention (DLP) rule has been deactivated or a violation has been deleted", "DisplayName": "Slack DLP Modified", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_dlp_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects when the logging settings for a workspace's EKM configuration has changed", "DisplayName": "Slack EKM Config Changed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_ekm_config_changed.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a workspace is longer enrolled in EKM", "DisplayName": "Slack EKM Slackbot Unenrolled", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_ekm_slackbot_unenrolled.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a workspace is no longer enrolled or managed by EKM", "DisplayName": "Slack EKM Unenrolled", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_ekm_unenrolled.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to the identity provider (IdP) configuration for Slack organizations.", "DisplayName": "Slack IDP Configuration Changed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_idp_configuration_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack information barrier is deleted/updated", "DisplayName": "Slack Information Barrier Modified", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_information_barrier_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects the disabling of Microsoft Intune Enterprise MDM within Slack", "DisplayName": "Slack Intune MDM Disabled", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_intune_mdm_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to configured legal hold policies", "DisplayName": "Slack Legal Hold Policy Modified", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_legal_hold_policy_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to Multi-Factor Authentication requirements", "DisplayName": "Slack MFA Settings Changed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_mfa_settings_changed.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack organization is created", "DisplayName": "Slack Organization Created", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_org_created.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack organization is deleted", "DisplayName": "Slack Organization Deleted", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_org_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a potentially malicious file is shared within Slack", "DisplayName": "Slack Potentially Malicious File Shared", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_potentially_malicious_file_shared.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a channel that was previously private is made public", "DisplayName": "Slack Private Channel Made Public", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_private_channel_made_public.yml"}, {"AnalysisType": "Rule", "Description": "Detects transferring of service owner on request from primary owner", "DisplayName": "Slack Service Owner Transferred", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_service_owner_transferred.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to Single Sign On (SSO) restrictions", "DisplayName": "Slack SSO Settings Changed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_sso_settings_changed.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack user gains escalated privileges", "DisplayName": "Slack User Privilege Escalation", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_user_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack account is changed to User from an elevated role.", "DisplayName": "Slack User Privileges Changed to User", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_privilege_changed_to_user.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect when account admin is granted.", "DisplayName": "Snowflake Account Admin Granted", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_account_admin_assigned.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect brute force attacks by monitoring for failed logins from the same IP address", "DisplayName": "Snowflake Brute Force Attacks by IP", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_brute_force_ip.yml"}, {"AnalysisType": "Rule", "Description": "Detect brute force attacks by monitorign failed logins from the same IP address", "DisplayName": "Snowflake Brute Force Attacks by User", "LogTypes": ["Snowflake.LoginHistory"], "YAMLPath": "rules/snowflake_rules/snowflake_stream_brute_force_by_username.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect brute force attacks by monitoring for failed logins by the same username", "DisplayName": "Snowflake Brute Force Attacks by Username", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_brute_force_username.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Detecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login.", "DisplayName": "Snowflake Brute Force Login Success", "LogTypes": ["Snowflake.LoginHistory"], "YAMLPath": "correlation_rules/snowflake_potential_brute_force_success.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Monitor for malicious IPs interacting with Snowflake as part of ongoing cyber threat activity reported May 31st, 2024", "DisplayName": "Snowflake Client IP", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_0108977_ip.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Monitor for configuration drift made by malicious actors as part of ongoing cyber threat activity reported May 31st, 2024", "DisplayName": "Snowflake Configuration Drift", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_0108977_configuration_drift.yml"}, {"AnalysisType": "Correlation Rule", "Description": "In April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim\u2019s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization\u2019s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer\u2019s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled.", "DisplayName": "Snowflake Data Exfiltration", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "correlation_rules/snowflake_data_exfiltration.yml"}, {"AnalysisType": "Rule", "Description": "Detect when an external share has been initiated from one source cloud to another target cloud.", "DisplayName": "Snowflake External Data Share", "LogTypes": ["Snowflake.DataTransferHistory"], "YAMLPath": "rules/snowflake_rules/snowflake_stream_external_shares.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect when an external share has been initiated from one source cloud to another target cloud.", "DisplayName": "Snowflake External Share", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_external_shares.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "A file was downloaded from a stage", "DisplayName": "Snowflake File Downloaded", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_file_downloaded_signal.yml"}, {"AnalysisType": "Rule", "Description": "Detect additional grants to the public role.", "DisplayName": "Snowflake Grant to Public Role", "LogTypes": ["Snowflake.GrantsToRoles"], "YAMLPath": "rules/snowflake_rules/snowflake_stream_public_role_grant.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect snowflake logins without multifactor authentication", "DisplayName": "Snowflake Login Without MFA", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_login_without_mfa.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login.", "DisplayName": "Snowflake Multiple Failed Logins Followed By Success", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_multiple_failed_logins_followed_by_success.yml"}, {"AnalysisType": "Rule", "Description": "Track successful login signals for correlation.", "DisplayName": "Snowflake Successful Login", "LogTypes": ["Snowflake.LoginHistory"], "YAMLPath": "rules/snowflake_rules/snowflake_stream_login_success.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "A table was copied into a stage", "DisplayName": "Snowflake Table Copied Into Stage", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_table_copied_into_stage_signal.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "A temporary stage was created", "DisplayName": "Snowflake Temporary Stage Created", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_temp_stage_created_signal.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Return sessions of suspected clients as part of ongoing cyber threat activity reported May 31st, 2024", "DisplayName": "Snowflake User Access", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_0109877_suspected_user_access.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect new users created in snowflake", "DisplayName": "Snowflake User Created", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_user_created.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Returns instances where a user's cumulative daily query volume is much larger than normal. Could indicate exfiltration attempts.", "DisplayName": "Snowflake User Daily Query Volume Spike", "LogTypes": ["Snowflake.QueryHistory"], "YAMLPath": "queries/snowflake_queries/snowflake_user_query_volume_spike_query.yml"}, {"AnalysisType": "Saved Query", "Description": "This query returns the most voluminous queries executed by a specific user over the past 48 hours.", "DisplayName": "Snowflake User Daily Query Volume Spike - Threat Hunting", "LogTypes": ["Panther.Audit", "Snowflake.QueryHistory"], "YAMLPath": "queries/snowflake_queries/snowflake_user_query_volume_spike_threat_hunting.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect users being re-enabled in your environment", "DisplayName": "Snowflake User Enabled", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_user_enabled.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect when a user that has key-based authentication configured logs in with a password", "DisplayName": "Snowflake user with key-based auth logged in with password auth", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_key_user_password_login.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk settings that lack a clear security impact are changed", "DisplayName": "Snyk Miscellaneous Settings", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_misc_settings.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Group or Organization Settings are changed.", "DisplayName": "Snyk Org or Group Settings Change", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_ou_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Organization settings, like Integrations and Webhooks, are changed", "DisplayName": "Snyk Org Settings", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_org_settings.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Project settings are changed", "DisplayName": "Snyk Project Settings", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_project_settings.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Roles are changed", "DisplayName": "Snyk Role Change", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_role_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Service Accounts are changed", "DisplayName": "Snyk Service Account Change", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_svcacct_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Settings that control access for external parties have been changed.", "DisplayName": "Snyk System External Access Settings Changed", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_system_externalaccess.yml"}, {"AnalysisType": "Rule", "Description": "Detects Snyk Policy Settings have been changed. Policies define Snyk's behavior when encountering security and licensing issues.", "DisplayName": "Snyk System Policy Settings Changed", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_system_policysetting.yml"}, {"AnalysisType": "Rule", "Description": "Detects Snyk SSO Settings have been changed. The reference URL from Snyk indicates that these events are likely to originate exclusively from Snyk Support.", "DisplayName": "Snyk System SSO Settings Changed", "LogTypes": ["Snyk.GroupAudit"], "YAMLPath": "rules/snyk_rules/snyk_system_sso.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Users are changed", "DisplayName": "Snyk User Management", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_user_mgmt.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Identifies when StopInstance and ModifyInstanceAttributes CloudTrail events occur in a short period of time. Since EC2 startup scripts cannot be modified without first stopping the instance, StopInstances should be a signal.", "DisplayName": "StopInstance FOLLOWED BY ModifyInstanceAttributes", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml"}, {"AnalysisType": "Rule", "Description": "Sublime flagged some messages as suspicious.", "DisplayName": "Sublime Flagged an Email", "LogTypes": ["Sublime.MessageEvent"], "YAMLPath": "rules/sublime_rules/sublime_message_flagged.yml"}, {"AnalysisType": "Rule", "Description": "A Sublime User disabled some mailbox(es).", "DisplayName": "Sublime Mailbox Deactivated", "LogTypes": ["Sublime.Audit"], "YAMLPath": "rules/sublime_rules/sublime_mailboxes_deactivated.yml"}, {"AnalysisType": "Rule", "Description": "A Sublime User disabled or deleted some message source(s).", "DisplayName": "Sublime Message Source Deleted Or Deactivated", "LogTypes": ["Sublime.Audit"], "YAMLPath": "rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml"}, {"AnalysisType": "Rule", "Description": "A Sublime User disabled or deleted some rule(s).", "DisplayName": "Sublime Rules Deleted Or Deactivated", "LogTypes": ["Sublime.Audit"], "YAMLPath": "rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml"}, {"AnalysisType": "Rule", "Description": "A suspicious cron has been added", "DisplayName": "Suspicious cron detected", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_suspicious_cron.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported a suspicious login for this user.", "DisplayName": "Suspicious GSuite Login", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_suspicious_logins.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This query can be used for the detection of unusual, non-common applications and client characteristics that had been used to connect to the Snowflake account, using a comparison to the previous usage baseline.", "DisplayName": "Suspicious Snowflake Sessions - Unusual Application", "LogTypes": [], "YAMLPath": "queries/snowflake_queries/snowflake_suspicious_session_query.yml"}, {"AnalysisType": "Rule", "Description": "A Tailscale User disabled HTTPS settings in your organization's tenant.", "DisplayName": "Tailscale HTTPS Disabled", "LogTypes": ["Tailscale.Audit"], "YAMLPath": "rules/tailscale_rules/tailscale_https_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Tailscale User disabled machine approval requirement settings in your organization's tenant. This means devices can access your network without requiring approval.", "DisplayName": "Tailscale Machine Approval Requirements Disabled", "LogTypes": ["Tailscale.Audit"], "YAMLPath": "rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Tailscale User disabled magic dns settings in your organization's tenant.", "DisplayName": "Tailscale Magic DNS Disabled", "LogTypes": ["Tailscale.Audit"], "YAMLPath": "rules/tailscale_rules/tailscale_magicdns_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A user has been manually created, modified, or deleted", "DisplayName": "Teleport Create User Accounts", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_create_user_accounts.yml"}, {"AnalysisType": "Rule", "Description": "A user has invoked a network scan that could potentially indicate enumeration of the network.", "DisplayName": "Teleport Network Scan Initiated", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_network_scanning.yml"}, {"AnalysisType": "Rule", "Description": "A user has manually edited the Linux crontab", "DisplayName": "Teleport Scheduled Jobs", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_scheduled_jobs.yml"}, {"AnalysisType": "Rule", "Description": "A high volume of SSH errors could indicate a brute-force attack", "DisplayName": "Teleport SSH Auth Errors", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_auth_errors.yml"}, {"AnalysisType": "Rule", "Description": "A user has invoked a suspicious command that could lead to a host compromise", "DisplayName": "Teleport Suspicious Commands Executed", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_suspicious_commands.yml"}, {"AnalysisType": "Rule", "Description": "A Canary has disconnected/reconnected.", "DisplayName": "Thinkst Canary DCRC", "LogTypes": ["ThinkstCanary.Alert"], "YAMLPath": "rules/thinkstcanary_rules/thinkst_canary_dcrc.yml"}, {"AnalysisType": "Rule", "Description": "A Canary incident has been detected.", "DisplayName": "Thinkst Canary Incident", "LogTypes": ["ThinkstCanary.Alert"], "YAMLPath": "rules/thinkstcanary_rules/thinkst_canary_incident.yml"}, {"AnalysisType": "Rule", "Description": "A Canarytoken incident has been detected.", "DisplayName": "Thinkst Canarytoken Incident", "LogTypes": ["ThinkstCanary.Alert"], "YAMLPath": "rules/thinkstcanary_rules/thinkst_canarytoken_incident.yml"}, {"AnalysisType": "Rule", "Description": "Detections when Tines Actions are set to Disabled Change", "DisplayName": "Tines Actions Disabled Change", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_actions_disabled_changes.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Tines Custom CertificateAuthority settings are changed", "DisplayName": "Tines Custom CertificateAuthority setting changed", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_custom_ca.yml"}, {"AnalysisType": "Rule", "Description": "Currently enqueued or retrying jobs were cleared", "DisplayName": "Tines Enqueued/Retrying Job Deletion", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_enqueued_retrying_job_deletion.yml"}, {"AnalysisType": "Rule", "Description": "A Tines user has destroyed a global resource.", "DisplayName": "Tines Global Resource Destruction", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_global_resource_destruction.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Tines SSO settings are changed", "DisplayName": "Tines SSO Settings", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_sso_settings.yml"}, {"AnalysisType": "Rule", "Description": "A user has destroyed a story item", "DisplayName": "Tines Story Items Destruction", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_story_items_destruction.yml"}, {"AnalysisType": "Rule", "Description": "A Tines User has cleared story jobs.", "DisplayName": "Tines Story Jobs Clearance", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_story_jobs_clearance.yml"}, {"AnalysisType": "Rule", "Description": "A user has destroyed a team", "DisplayName": "Tines Team Destruction", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_team_destruction.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Tines Tenant API Keys are added", "DisplayName": "Tines Tenant API Keys Added", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_tenant_authtoken.yml"}, {"AnalysisType": "Rule", "Description": "Tracebit maintains security canaries across your organization to detect potential intrusions.This alert indicates that Tracebit has detected activity on security canaries.", "DisplayName": "Tracebit Alert", "LogTypes": ["Tracebit.Alert"], "YAMLPath": "rules/tracebit_rules/tracebit_alert.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any unauthenticated kubernetes api request. Unauthenticated Requests are performed by the anonymous user and have unfederated access to the cluster.", "DisplayName": "Unauthenticated Kubernetes API Request", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_unauthenticated_api_request_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any pod execution in a kubernetes cluster. Pod execution should never be done in a production cluster, and can indicate a user performing unauthorized actions.", "DisplayName": "Unauthorized Kubernetes Pod Execution", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_unauthorized_pod_execution_query.yml"}, {"AnalysisType": "Rule", "Description": "Check that all laptops on the corporate environment are on a version of MacOS supported by IT.", "DisplayName": "Unsupported macOS version", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_outdated_macos.yml"}, {"AnalysisType": "Rule", "Description": "CloudTrail logged non-read activity from a verboten AWS region.", "DisplayName": "Unused AWS Region", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_unused_region.yml"}, {"AnalysisType": "Rule", "Description": "Detects when unusual or undesirable 1Password clients access your 1Password account", "DisplayName": "Unusual 1Password Client Detected", "LogTypes": ["OnePassword.SignInAttempt"], "YAMLPath": "rules/onepassword_rules/onepassword_unusual_client.yml"}, {"AnalysisType": "Rule", "Description": "A User logged in as root", "DisplayName": "User Logged in as root", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_root_login.yml"}, {"AnalysisType": "Rule", "Description": "A local User logged in without MFA", "DisplayName": "User Logged in wihout MFA", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_local_user_login_without_mfa.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect dns tunneling traffic using a scheduled query", "DisplayName": "VPC DNS Tunneling", "LogTypes": ["AWS.VPCDns"], "YAMLPath": "queries/aws_queries/vpc_dns_tunneling.yml"}, {"AnalysisType": "Rule", "Description": "VPC Flow Logs observed inbound traffic violating the port allowlist.", "DisplayName": "VPC Flow Logs Inbound Port Allowlist", "LogTypes": ["AWS.VPCFlow", "OCSF.NetworkActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.yml"}, {"AnalysisType": "Rule", "Description": "VPC Flow Logs observed inbound traffic violating the port blocklist.", "DisplayName": "VPC Flow Logs Inbound Port Blocklist", "LogTypes": ["AWS.VPCFlow", "OCSF.NetworkActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.yml"}, {"AnalysisType": "Rule", "Description": "Alerts if outbound DNS traffic is detected to a non-approved DNS server. DNS is often used as a means to exfiltrate data or perform command and control for compromised hosts. All DNS traffic should be routed through internal DNS servers or trusted 3rd parties.", "DisplayName": "VPC Flow Logs Unapproved Outbound DNS Traffic", "LogTypes": ["AWS.VPCFlow", "OCSF.NetworkActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Instances of a srcAddr communicating with multiple ports on a dstAddr could indicate port scanning activity.", "DisplayName": "VPC Flow Port Scanning", "LogTypes": ["AWS.VPCFlow"], "YAMLPath": "queries/aws_queries/anomalous_vpc_port_activity_query.yml"}, {"AnalysisType": "Rule", "Description": "This rule enriches and contextualizes security alerts generated by Wiz.", "DisplayName": "Wiz Alert Passthrough Rule", "LogTypes": ["Wiz.Issues"], "YAMLPath": "rules/wiz_rules/wiz_alert_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of CICD scan policies.", "DisplayName": "Wiz CICD Scan Policy Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of connectors.", "DisplayName": "Wiz Connector Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_connector_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of data classifiers.", "DisplayName": "Wiz Data Classifier Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_data_classifier_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of image integrity validators.", "DisplayName": "Wiz Image Integrity Validator Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of Wiz integrations.", "DisplayName": "Wiz Integration Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_integration_updated_or_deleted.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Wiz detected a security issue with an EC2 instance followed by an SSH connection to the instance. This sequence could indicate a potential security breach.", "DisplayName": "Wiz Issue Followed By SSH to EC2 Instance", "LogTypes": ["AWS.VPCFlow", "Wiz.Issues"], "YAMLPath": "correlation_rules/wiz_issue_followed_by_ssh.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects user sessions revoked.", "DisplayName": "Wiz Revoke User Sessions", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_revoke_user_sessions.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects service account secrets rotations.", "DisplayName": "Wiz Rotate Service Account Secret", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_rotate_service_account_secret.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations, updates and deletions of Wiz rules.", "DisplayName": "Wiz Rule Change", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_rule_change.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations, updates and deletions of SAML identity providers.", "DisplayName": "Wiz SAML Identity Provider Change", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_saml_identity_provider_change.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations, updates and deletions of service accounts.", "DisplayName": "Wiz Service Account Change", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_service_account_change.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates of IP restrictions.", "DisplayName": "Wiz Update IP Restrictions", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_update_ip_restrictions.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates of Wiz login settings.", "DisplayName": "Wiz Update Login Settings", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_update_login_settings.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates of Wiz scanner settings.", "DisplayName": "Wiz Update Scanner Settings", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_update_scanner_settings.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates of Wiz support contact list.", "DisplayName": "Wiz Update Support Contact List", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_update_support_contact_list.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations and deletions of Wiz users.", "DisplayName": "Wiz User Created Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_user_created_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of Wiz user roles.", "DisplayName": "Wiz User Role Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_user_role_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Only one admin user can be the account owner. Ensure the change in ownership is expected.", "DisplayName": "Zendesk Account Owner Changed", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_new_owner.yml"}, {"AnalysisType": "Rule", "Description": "A user created a new API token to be used with Zendesk.", "DisplayName": "Zendesk API Token Created", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_new_api_token.yml"}, {"AnalysisType": "Rule", "Description": "A user updated account setting that disabled credit card redaction.", "DisplayName": "Zendesk Credit Card Redaction Off", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_sensitive_data_redaction.yml"}, {"AnalysisType": "Rule", "Description": "A user updated account setting that enabled or disabled mobile app access.", "DisplayName": "Zendesk Mobile App Access Modified", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_mobile_app_access.yml"}, {"AnalysisType": "Rule", "Description": "A user's Zendesk role was changed", "DisplayName": "Zendesk User Role Changed", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_user_role.yml"}, {"AnalysisType": "Rule", "Description": "A user's Zendesk suspension status was changed.", "DisplayName": "Zendesk User Suspension Status Changed", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_user_suspension.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when admin user/role was deleted.", "DisplayName": "ZIA Account Access Removed", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_account_access_removal.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when an additional cloud role was created.", "DisplayName": "ZIA Additional Cloud Roles", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_additional_cloud_roles.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when ZIA backup data was deleted.", "DisplayName": "ZIA Backup Deleted", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_backup_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when new cloud account was created.", "DisplayName": "ZIA Cloud Account Created", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_create_cloud_account.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when ZIA goldenRestorePoint was dropped. It means that some piece of information that was impossible to delete before, now is deletable", "DisplayName": "ZIA Golden Restore Point Dropped", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_golden_restore_point_dropped.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when password settings are insecure.", "DisplayName": "ZIA Insecure Password Settings", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_insecure_password_settings.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when ZIA log streaming was disabled.", "DisplayName": "ZIA Log Streaming Disabled", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_log_streaming_disabled.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when ZIA Audit Logs were downloaded.", "DisplayName": "ZIA Logs Downloaded", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_logs_downloaded.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when password expiration eas set/removed.", "DisplayName": "ZIA Password Expiration", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_password_expiration.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when SAML authentication was enabled/disabled.", "DisplayName": "ZIA Trust Modification", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_trust_modification.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User turned off your organization's requirement that all meetings are secured with one security option.", "DisplayName": "Zoom All Meetings Secured With One Option Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_all_meetings_secured_with_one_option_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User turned off your organization's setting to automatically sign users out after a specified period of time.", "DisplayName": "Zoom Automatic Sign Out Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_automatic_sign_out_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Meeting passcode requirement has been disabled from usergroup", "DisplayName": "Zoom Meeting Passcode Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_operation_passcode_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User turned off your organization's setting to require passcodes for new meetings.", "DisplayName": "Zoom New Meeting Passcode Required Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_new_meeting_passcode_required_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User modified your organizations sign in method.", "DisplayName": "Zoom Sign In Method Modified", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_sign_in_method_modified.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User changed your organization's sign in requirements.", "DisplayName": "Zoom Sign In Requirements Changed", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_sign_in_requirements_changed.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User disabled your organization's setting to sign in with Two-Factor Authentication.", "DisplayName": "Zoom Two Factor Authentication Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_two_factor_authentication_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom user was promoted to a privileged role.", "DisplayName": "Zoom User Promoted to Privileged Role", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_user_promoted_to_privileged_role.yml"}] \ No newline at end of file +[{"AnalysisType": "Scheduled Rule", "Description": "Detects 1Password Logins from IP addresses not found in CrowdStrike's AIP list. May indicate unmanaged device being used, or faulty CrowdStrike Sensor.", "DisplayName": "1Password Login From CrowdStrike Unmanaged Device", "LogTypes": ["Crowdstrike.AIDMaster", "OnePassword.SignInAttempt"], "YAMLPath": "queries/crowdstrike_queries/onepassword_login_from_crowdstrike_unmanaged_device.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Looks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List.", "DisplayName": "1Password Login From CrowdStrike Unmanaged Device Query", "LogTypes": ["Crowdstrike.AIDMaster", "OnePassword.SignInAttempt"], "YAMLPath": "queries/crowdstrike_queries/onepass_login_from_crowdstrike_unmanaged_device_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Looks for OnePassword Logins from IP Addresses that aren't seen in CrowdStrike's AIP List. (crowdstrike_fdrevent table)", "DisplayName": "1Password Login From CrowdStrike Unmanaged Device Query (crowdstrike_fdrevent table)", "LogTypes": ["Crowdstrike.FDREvent", "OnePassword.SignInAttempt"], "YAMLPath": "queries/onepassword_queries/onepass_login_from_crowdstrike_unmanaged_device_FDREvent.yml"}, {"AnalysisType": "Rule", "Description": "Detects vulnerable versions of XZ and liblzma on Linux and MacOS using Osquery logs. Versions 5.6.0 and 5.6.1 of xz and liblzma are most likely vulnerable to backdoor exploit. Vuln management pack must be enabled: https://github.com/osquery/osquery/blob/master/packs/vuln-management.conf", "DisplayName": "A backdoored version of XZ or liblzma is vulnerable to CVE-2024-3094", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_linux_mac_vulnerable_xz_liblzma.yml"}, {"AnalysisType": "Rule", "Description": "A CloudTrail Trail was created, updated, or enabled.", "DisplayName": "A CloudTrail Was Created or Updated", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_created.yml"}, {"AnalysisType": "Rule", "Description": "A system has been logged into from a non approved IP space.", "DisplayName": "A Login from Outside the Corporate Office", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_linux_logins_non_office.yml"}, {"AnalysisType": "Rule", "Description": "An unusually long-lived Teleport certificate was created", "DisplayName": "A long-lived cert was created", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_long_lived_certs.yml"}, {"AnalysisType": "Rule", "Description": "A SAML connector was created or modified", "DisplayName": "A SAML Connector was created or modified", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_saml_created.yml"}, {"AnalysisType": "Rule", "Description": "A Teleport Lock was created", "DisplayName": "A Teleport Lock was created", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_lock_created.yml"}, {"AnalysisType": "Rule", "Description": "A Teleport Role was modified or created", "DisplayName": "A Teleport Role was modified or created", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_role_created.yml"}, {"AnalysisType": "Rule", "Description": "A user authenticated with SAML, but from an unknown company domain", "DisplayName": "A user authenticated with SAML, but from an unknown company domain", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_saml_login_not_company_domain.yml"}, {"AnalysisType": "Rule", "Description": "A User from the company domain(s) Logged in without SAML", "DisplayName": "A User from the company domain(s) Logged in without SAML", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_company_domain_login_without_saml.yml"}, {"AnalysisType": "Rule", "Description": "A Panther user role has been created that contains admin level permissions.", "DisplayName": "A User Role with Sensitive Permissions has been Created", "LogTypes": ["Panther.Audit"], "YAMLPath": "rules/panther_audit_rules/panther_sensitive_role_created.yml"}, {"AnalysisType": "Rule", "Description": "A Panther user's role has been modified. This could mean password, email, or role has changed for the user.", "DisplayName": "A User's Panther Account was Modified", "LogTypes": ["Panther.Audit"], "YAMLPath": "rules/panther_audit_rules/panther_user_modified.yml"}, {"AnalysisType": "Rule", "Description": "An account wide security configuration was changed.", "DisplayName": "Account Security Configuration Changed", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_security_configuration_change.yml"}, {"AnalysisType": "Rule", "Description": "An action was performed by Netskope personnel.", "DisplayName": "Action Performed by Netskope Personnel", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_personnel_action.yml"}, {"AnalysisType": "Rule", "Description": "An admin was logged out because of successive login failures.", "DisplayName": "Admin logged out because of successive login failures", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_admin_logged_out.yml"}, {"AnalysisType": "Rule", "Description": "Assigning an admin role manually could be a sign of privilege escalation", "DisplayName": "Admin Role Assigned", "LogTypes": ["Asana.Audit", "Atlassian.Audit", "GCP.AuditLog", "GSuite.Reports", "GitHub.Audit", "OneLogin.Events", "Zendesk.Audit"], "YAMLPath": "rules/standard_rules/admin_assigned.yml"}, {"AnalysisType": "Rule", "Description": "An Amazon Machine Image (AMI) was modified to allow it to be launched by anyone. Any sensitive configuration or application data stored in the AMI's block devices is at risk.", "DisplayName": "Amazon Machine Image (AMI) Modified to Allow Public Access", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ami_modified_for_public_access.yml"}, {"AnalysisType": "Rule", "Description": "An administrator account was created, deleted, or modified.", "DisplayName": "An administrator account was created, deleted, or modified.", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_admin_user_change.yml"}, {"AnalysisType": "Scheduled Query", "Description": "ARNs with a high Access Denied error rate could indicate an error or compromised credentials attempting to perform reconnaissance.", "DisplayName": "Anomalous AccessDenied Requests", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/anomalous_access_denied_query.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AppOmni Alert Passthrough", "LogTypes": ["AppOmni.Alerts"], "YAMLPath": "rules/appomni_rules/appomni_alert_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "An Asana service account was created by someone in your organization.", "DisplayName": "Asana Service Account Created", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_service_account_created.yml"}, {"AnalysisType": "Rule", "Description": "An Asana team's privacy setting was changed to public to the organization (not public to internet)", "DisplayName": "Asana Team Privacy Public", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_team_privacy_public.yml"}, {"AnalysisType": "Rule", "Description": "An Asana workspace's default session duration (how often users need to re-authenticate) has been changed to never.", "DisplayName": "Asana Workspace Default Session Duration Never", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_default_session_duration_never.yml"}, {"AnalysisType": "Rule", "Description": "A new email domain has been added to an Asana workspace. Reviewer should validate that the new domain is a part of the organization.", "DisplayName": "Asana Workspace Email Domain Added", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_email_domain_added.yml"}, {"AnalysisType": "Rule", "Description": "An Asana Workspace Form Link is a unique URL that allows you to create a task directly within a specific Workspace or Project in Asana, using a web form. Disabling authentication requirements may allow unauthorized users to create tasks.", "DisplayName": "Asana Workspace Form Link Auth Requirement Disabled", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_form_link_auth_requirement_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Typically inviting guests to Asana is permitted by few users. Enabling anyone to invite guests can potentially lead to unauthorized users gaining access to Asana.", "DisplayName": "Asana Workspace Guest Invite Permissions Anyone", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_guest_invite_permissions_anyone.yml"}, {"AnalysisType": "Rule", "Description": "Admin role was granted to the user who previously did not have admin permissions", "DisplayName": "Asana Workspace New Admin", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_new_admin.yml"}, {"AnalysisType": "Rule", "Description": "An Asana user started an org export.", "DisplayName": "Asana Workspace Org Export", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_org_export.yml"}, {"AnalysisType": "Rule", "Description": "An asana user made your organization's password requirements less strict.", "DisplayName": "Asana Workspace Password Requirements Simple", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_password_requirements_simple.yml"}, {"AnalysisType": "Rule", "Description": "An Asana user turned off app approval requirements for an application type for your organization.", "DisplayName": "Asana Workspace Require App Approvals Disabled", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_require_app_approvals_disabled.yml"}, {"AnalysisType": "Rule", "Description": "An Asana user made SAML optional for your organization.", "DisplayName": "Asana Workspace SAML Optional", "LogTypes": ["Asana.Audit"], "YAMLPath": "rules/asana_rules/asana_workspace_saml_optional.yml"}, {"AnalysisType": "Rule", "Description": "Reports when an Atlassian user logs in (impersonates) another user.", "DisplayName": "Atlassian admin impersonated another user", "LogTypes": ["Atlassian.Audit"], "YAMLPath": "rules/atlassian_rules/user_logged_in_as_user.yml"}, {"AnalysisType": "Rule", "Description": "Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events.", "DisplayName": "Auth0 CIC Credential Stuffing", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_cic_credential_stuffing.yml"}, {"AnalysisType": "Saved Query", "Description": "Okta has determined that the cross-origin authentication feature in Customer Identity Cloud (CIC) is prone to being targeted by threat actors orchestrating credential-stuffing attacks. Okta has observed suspicious activity that started on April 15, 2024. Review tenant logs for unexpected fcoa, scoa, and pwd_leak events. https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks", "DisplayName": "Auth0 CIC Credential Stuffing Query", "LogTypes": ["Auth0.Events"], "YAMLPath": "queries/auth0_queries/auth0_cic_credential_stuffing_query.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User created a role in your organization's tenant.", "DisplayName": "Auth0 Custom Role Created", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_custom_role_created.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 integration was installed from the auth0 action library.", "DisplayName": "Auth0 Integration Installed", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_integration_installed.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 user enabled an mfa factor in your organization's mfa settings.", "DisplayName": "Auth0 mfa factor enabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_factor_setting_enabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User disabled MFA for your organization's tenant.", "DisplayName": "Auth0 MFA Policy Disabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_policy_disabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User enabled MFA Policy for your organization's tenant.", "DisplayName": "Auth0 MFA Policy Enabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_policy_enabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User disabled the mfa risk assessment setting for your organization's tenant.", "DisplayName": "Auth0 MFA Risk Assessment Disabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_risk_assessment_disabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User enabled the mfa risk assessment setting for your organization's tenant.", "DisplayName": "Auth0 MFA Risk Assessment Enabled", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_mfa_risk_assessment_enabled.yml"}, {"AnalysisType": "Rule", "Description": "An Auth0 User updated a post login action flow for your organization's tenant.", "DisplayName": "Auth0 Post Login Action Flow Updated", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_post_login_action_flow.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Auth0 User Invitation Created", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_user_invitation_created.yml"}, {"AnalysisType": "Rule", "Description": "User accepted invitation from Auth0 member to join an Auth0 tenant.", "DisplayName": "Auth0 User Joined Tenant", "LogTypes": ["Auth0.Events"], "YAMLPath": "rules/auth0_rules/auth0_user_joined_tenant.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that AWS IAM account access keys are rotated every 90 days. Rotating access keys will reduce the window of opportunity for an access key that is associated with a compromised or terminated account to be used.", "DisplayName": "AWS Access Key Rotation", "LogTypes": ["AWS.IAM.RootUser", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_access_key_rotation.yml"}, {"AnalysisType": "Rule", "Description": "A users static AWS API key was uploaded to a public github repo.", "DisplayName": "AWS Access Key Uploaded to Github", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_key_compromised.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that AWS IAM user accounts do not have access keys that were created during account creation. This results in excess keys being generated, and unnecessary management work in auditing and rotating these keys.", "DisplayName": "AWS Access Keys At Account Creation", "LogTypes": ["AWS.IAM.RootUser", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_access_keys_at_account_creation.yml"}, {"AnalysisType": "Policy", "Description": "When a certificate is 60 days away from expiration, ACM automatically attempts to renew it every hour.", "DisplayName": "AWS ACM Certificate Expiration", "LogTypes": ["AWS.ACM.Certificate"], "YAMLPath": "policies/aws_acm_policies/aws_acm_certificate_expiration.yml"}, {"AnalysisType": "Policy", "Description": "This policy checks if an ACM certificate renewal is pending or has failed and is in use by any other resources within the account.", "DisplayName": "AWS ACM Certificate Status", "LogTypes": ["AWS.ACM.Certificate"], "YAMLPath": "policies/aws_acm_policies/aws_acm_certificate_valid.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all ACM certificates are using secure key and signature algorithms.", "DisplayName": "AWS ACM Secure Algorithms", "LogTypes": ["AWS.ACM.Certificate"], "YAMLPath": "policies/aws_acm_policies/aws_acm_certificate_has_secure_algorithms.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that AMIs you have created are not configured to allow public access, which could result in accidental data loss. AMI's that you use but do not own are not evaluated by this policy.", "DisplayName": "AWS AMI Sharing", "LogTypes": ["AWS.EC2.AMI"], "YAMLPath": "policies/aws_ec2_policies/aws_ami_private.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all application load balancers have an associated Web ACl to enforce protections against various web attacks.", "DisplayName": "AWS Application Load Balancer Web ACL", "LogTypes": ["AWS.ELBV2.ApplicationLoadBalancer"], "YAMLPath": "policies/aws_elb_policies/aws_application_load_balancer_web_acl.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List", "DisplayName": "AWS Authentication from CrowdStrike Unmanaged Device", "LogTypes": ["AWS.CloudTrail", "Crowdstrike.AIDMaster"], "YAMLPath": "queries/crowdstrike_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_Query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects AWS Authentication events with IP Addresses not found in CrowdStrike's AIP List", "DisplayName": "AWS Authentication from CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)", "LogTypes": ["AWS.CloudTrail", "Crowdstrike.FDREvent"], "YAMLPath": "queries/aws_queries/AWS_Authentication_from_CrowdStrike_Unmanaged_Device_FDREvent.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Identifies when CreateRole and AttachAdminRolePolicy CloudTrail events occur in a short period of time. This sequence could indicate a potential security breach.", "DisplayName": "AWS Backdoor Administrative IAM Role Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_create_backdoor_admin_iam_role.yml"}, {"AnalysisType": "Rule", "Description": "An Amazon Bedrock Guardrail was updated or deleted. Amazon Bedrock Guardrails are used to implement application-specific safeguards based on your use cases and responsible AI policies. Updating or deleting a guardrail can have security implications to your AI workloads.", "DisplayName": "AWS Bedrock Guardrail Updated or Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_bedrock_guardrail_update_delete.yml"}, {"AnalysisType": "Rule", "Description": "An Amazon Bedrock Model Invocation Logging Configuration was deleted. Use model invocation logging to collect metadata, requests, and responses for all model invocations in your account. Deleting a model invocation logging configuration can have security implications to your AI workloads.", "DisplayName": "AWS Bedrock Model Invocation Logging Configuration Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_bedrock_deletemodelinvocationloggingconfiguration.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that all EC2 volumes that contain CDE are encrypted. Be sure to configure CDE definitions before enabling this policy.", "DisplayName": "AWS CDE EC2 Volume Encryption", "LogTypes": ["AWS.EC2.Volume"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_cde_volume_encrypted.yml"}, {"AnalysisType": "Policy", "Description": "A stack has drifted from its defined configuration.", "DisplayName": "AWS CloudFormation Stack Drift", "LogTypes": ["AWS.CloudFormation.Stack"], "YAMLPath": "policies/aws_cloudformation_policies/aws_cloudformation_stack_drifted.yml"}, {"AnalysisType": "Policy", "Description": "Associating IAM roles with CloudFormation stacks ensures least privilege when making changes to your account.", "DisplayName": "AWS CloudFormation Stack IAM Service Role", "LogTypes": ["AWS.CloudFormation.Stack"], "YAMLPath": "policies/aws_cloudformation_policies/aws_cloudformation_stack_uses_iam_role.yml"}, {"AnalysisType": "Policy", "Description": "Protects a CloudFormation stack from accidentally being deleted. If you attempt to delete a stack with termination protection enabled, the deletion fails and the stack, including its status, will remain unchanged.", "DisplayName": "AWS CloudFormation Stack Termination Protection", "LogTypes": ["AWS.CloudFormation.Stack"], "YAMLPath": "policies/aws_cloudformation_policies/aws_cloudformation_termination_protection.yml"}, {"AnalysisType": "Rule", "Description": "Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.", "DisplayName": "AWS CloudTrail Account Discovery", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_account_discovery.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an actor attempts to remove an AWS account from an Organization. Security configurations are often defined at the organizational level. Leaving the organization can disrupt or totally shut down these controls.", "DisplayName": "AWS CloudTrail Attempt To Leave Org", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_attempt_to_leave_org.yml"}, {"AnalysisType": "Policy", "Description": "CloudTrail supports sending data and management events to CloudWatch Logs. This setup can be used for real-time processing of all CloudTrail data events.", "DisplayName": "AWS CloudTrail CloudWatch Logs", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_cloudwatch_logs.yml"}, {"AnalysisType": "Policy", "Description": "Users with permissions to disable or reconfigure CloudTrail should be limited.", "DisplayName": "AWS CloudTrail Least Privilege Access", "LogTypes": ["AWS.IAM.Group"], "YAMLPath": "policies/aws_iam_policies/aws_cloudtrail_least_privilege.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that CloudTrail Logs are encrypted at rest with customer managed KMS key.", "DisplayName": "AWS CloudTrail Log Encryption", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_log_encryption.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that CloudTrail logs have file integrity validation enabled.", "DisplayName": "AWS CloudTrail Log Validation", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_log_validation.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that at least one CloudTrail has management (control plane) operations logged.", "DisplayName": "AWS CloudTrail Management Events Enabled", "LogTypes": ["AWS.CloudTrail.Meta"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_enabled.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for *AccountPasswordPolicy events in AWS CloudTrail logs. If these events occur in a short period of time from the same ARN, it could constitute Password Policy reconnaissance.", "DisplayName": "AWS CloudTrail Password Policy Discovery", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_password_policy_discovery.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an S3 bucket containing CloudTrail logs has been modified to delete data after a short period of time.", "DisplayName": "AWS CloudTrail Retention Lifecycle Too Short", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the bucket receiving CloudTrail Logs is configured with S3 Access Logging. This audits all creation, modification, or deletion to CloudTrail audit logs.", "DisplayName": "AWS CloudTrail S3 Bucket Access Logging", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_access_logging.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that CloudTrail S3 buckets are not publicly accessible.", "DisplayName": "AWS CloudTrail S3 Bucket Public", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "policies/aws_cloudtrail_policies/aws_cloudtrail_s3_bucket_public.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AWS CloudTrail SES Check Identity Verifications", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_identity_verifications.yml"}, {"AnalysisType": "Rule", "Description": "Detect when someone checks how many emails can be delivered via SES", "DisplayName": "AWS CloudTrail SES Check Send Quota", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_send_quota.yml"}, {"AnalysisType": "Rule", "Description": "Detect when a user inquires whether SES Sending is enabled.", "DisplayName": "AWS CloudTrail SES Check SES Sending Enabled", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_check_ses_sending_enabled.yml"}, {"AnalysisType": "Correlation Rule", "Description": "", "DisplayName": "AWS CloudTrail SES Enumeration", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_enumeration.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AWS CloudTrail SES List Identities", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_ses_list_identities.yml"}, {"AnalysisType": "Policy", "Description": "AWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data.", "DisplayName": "AWS CloudWatch Log Encryption", "LogTypes": ["AWS.CloudWatch.LogGroup"], "YAMLPath": "policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_encrypted.yml"}, {"AnalysisType": "Policy", "Description": "By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing a specific retention period.", "DisplayName": "AWS CloudWatch Logs Data Retention", "LogTypes": ["AWS.CloudWatch.LogGroup"], "YAMLPath": "policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_data_retention.yml"}, {"AnalysisType": "Rule", "Description": "An AWS command was executed on a Linux instance", "DisplayName": "AWS command executed on the command line", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_linux_aws_commands.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an IAM user has the AWSCompromisedKeyQuarantineV2 policy attached to their account.", "DisplayName": "AWS Compromised IAM Key Quarantine", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_compromised_key_quarantine.yml"}, {"AnalysisType": "Policy", "Description": "You can have AWS Config record supported types of global resources, such as IAM users, groups, roles, and customer managed policies.", "DisplayName": "AWS Config Global Resources", "LogTypes": ["AWS.Config.Recorder.Meta"], "YAMLPath": "policies/aws_config_policies/aws_config_global_resources.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the config recorder is operational and capturing changes to your account without error.", "DisplayName": "AWS Config Recording Status", "LogTypes": ["AWS.Config.Recorder"], "YAMLPath": "policies/aws_config_policies/aws_config_recording_no_error.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensurers that you have a comprehensive configuration audit in place for all resource types in AWS.", "DisplayName": "AWS Config Records All Resource Types", "LogTypes": ["AWS.Config.Recorder"], "YAMLPath": "policies/aws_config_policies/aws_config_all_resource_types.yml"}, {"AnalysisType": "Rule", "Description": "An AWS Config Recorder or Delivery Channel was created", "DisplayName": "AWS Config Service Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_config_service_created.yml"}, {"AnalysisType": "Rule", "Description": "An AWS Config Recorder or Delivery Channel was disabled or deleted", "DisplayName": "AWS Config Service Disabled", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_config_service_disabled_deleted.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the config recorder is operational and capturing changes to your account.", "DisplayName": "AWS Config Status", "LogTypes": ["AWS.Config.Recorder"], "YAMLPath": "policies/aws_config_policies/aws_config_recording_enabled.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AWS Console Login", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_login.yml"}, {"AnalysisType": "Correlation Rule", "Description": "A user has logged into the AWS console without authenticating via Okta. This rule requires AWS SSO via Okta and both log sources configured.", "DisplayName": "AWS Console Sign-In NOT PRECEDED BY Okta Redirect", "LogTypes": ["AWS.CloudTrail", "Okta.SystemLog"], "YAMLPath": "correlation_rules/aws_console_sign-in_without_okta.yml"}, {"AnalysisType": "Rule", "Description": "Identifies clients that may be performing DNS lookups associated with common currency mining pools.", "DisplayName": "AWS DNS Crypto Domain", "LogTypes": ["AWS.VPCDns", "OCSF.DnsActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_dns_crypto_domain.yml"}, {"AnalysisType": "Rule", "Description": "Detects when logs for a DNS Resolver have been removed.", "DisplayName": "AWS DNS Logs Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_dns_logs_deleted.yml"}, {"AnalysisType": "Policy", "Description": "DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic", "DisplayName": "AWS DynamoDB Table Autoscaling", "LogTypes": ["AWS.DynamoDB.Table"], "YAMLPath": "policies/aws_dynamodb_policies/aws_dynamodb_autoscaling.yml"}, {"AnalysisType": "Policy", "Description": "DynamoDB Auto Scaling can dynamically adjust provisioned throughput capacity in response to traffic patterns. This enables a table to increase its provisioned read and write capacity to handle sudden increases in traffic", "DisplayName": "AWS DynamoDB Table Autoscaling Configuration", "LogTypes": ["AWS.DynamoDB.Table"], "YAMLPath": "policies/aws_dynamodb_policies/aws_dynamodb_autoscaling_configuration.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all DynamoDB tables have a TTL field configured.", "DisplayName": "AWS DynamoDB Table TTL", "LogTypes": ["AWS.DynamoDB.Table"], "YAMLPath": "policies/aws_dynamodb_policies/aws_dynamodb_table_ttl_enabled.yml"}, {"AnalysisType": "Policy", "Description": "Checks that AWS EC2 AMI's are only launched on approved dedicated hosts.", "DisplayName": "AWS EC2 AMI Approved Host", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_ami_approved_host.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the EC2 instance is running with an instance type approved for its AMI.", "DisplayName": "AWS EC2 AMI Approved Instance Type", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_ami_approved_instance_type.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the EC2 instance was launched with a tenancy approved for its AMI.", "DisplayName": "AWS EC2 AMI Approved Tenancy", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_ami_approved_tenancy.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Multiple different discovery commands were executed by the same EC2 instance.", "DisplayName": "AWS EC2 Discovery Commands Executed", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/ec2_discovery_commands_query.yml"}, {"AnalysisType": "Rule", "Description": "An entity has accessed the user data scripts of multiple EC2 instances.", "DisplayName": "AWS EC2 Download Instance User Data", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_download_instance_user_data.yml"}, {"AnalysisType": "Rule", "Description": "Identifies disabling of default EBS encryption. Disabling default encryption does not change the encryption status of existing volumes.", "DisplayName": "AWS EC2 EBS Encryption Disabled", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_ebs_encryption_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Checks CloudTrail for occurrences of EC2 Image Actions.", "DisplayName": "AWS EC2 Image Monitoring", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_monitoring.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures the given EC2 instance is running an AMI from the approved list of AMI's.", "DisplayName": "AWS EC2 Instance Approved AMI", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_ami.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures the given EC2 Instance is running on an approved dedicated host.", "DisplayName": "AWS EC2 Instance Approved Host", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_host.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the EC2 instance is running on one of the approved instance types.", "DisplayName": "AWS EC2 Instance Approved Instance Type", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_instance_type.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures the given EC2 Instance is running with an approved tenancy option. The possible tenancy options are dedicated, host, and default.", "DisplayName": "AWS EC2 Instance Approved Tenancy", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_tenancy.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the given EC2 Instance is running in an approved VPC.", "DisplayName": "AWS EC2 Instance Approved VPC", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_approved_vpc.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the AWS Instance has Detailed Monitoring Enabled", "DisplayName": "AWS EC2 Instance Detailed Monitoring", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_detailed_monitoring.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures EBS optimization is enabled for the given EC2 instance, if applicable.", "DisplayName": "AWS EC2 Instance EBS Optimization", "LogTypes": ["AWS.EC2.Instance"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_instance_ebs_optimization.yml"}, {"AnalysisType": "Rule", "Description": "Detect when an actor deploys an EC2 instance with an unusual profile based on your business needs.", "DisplayName": "AWS EC2 Launch Unusual EC2 Instances", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_launch_unusual_ec2_instances.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS.", "DisplayName": "AWS EC2 Manual Security Group Change", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml"}, {"AnalysisType": "Rule", "Description": "An actor in AWS has made many attempts to retrieve EC2 passwords. It is typically not necessary to retrieve EC2 passwords more than a few times an hour.", "DisplayName": "AWS EC2 Many Password Read Attempts", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_many_passwors_read_attempts.yml"}, {"AnalysisType": "Rule", "Description": "Detect when an attacker pushes an SSH public key to multiple EC2 instances.", "DisplayName": "AWS EC2 Multi Instance Connect", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_multi_instance_connect.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.", "DisplayName": "AWS EC2 Startup Script Change", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_startup_script_change.yml"}, {"AnalysisType": "Rule", "Description": "This rule captures multiple traffic mirroring events in AWS Cloudtrail.", "DisplayName": "AWS EC2 Traffic Mirroring", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_traffic_mirroring.yml"}, {"AnalysisType": "Policy", "Description": "You can encrypt both the boot and data volumes of an EC2 instance.", "DisplayName": "AWS EC2 Volume Encryption", "LogTypes": ["AWS.EC2.Volume"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_volume_encryption.yml"}, {"AnalysisType": "Policy", "Description": "You can encrypt the snapshot of an EC2 volume to protect against accidental data loss", "DisplayName": "AWS EC2 Volume Snapshot Encryption", "LogTypes": ["AWS.EC2.Volume"], "YAMLPath": "policies/aws_ec2_policies/aws_ec2_volume_snapshot_encrypted.yml"}, {"AnalysisType": "Rule", "Description": "Detecting EC2 instances launched with AMIs containing potentially vulnerable versions of XZ (CVE-2024-3094)", "DisplayName": "AWS EC2 Vulnerable XZ Image Launched", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_vulnerable_xz_image_launched.yml"}, {"AnalysisType": "Rule", "Description": "An ECR event occurred outside of an expected account or region", "DisplayName": "AWS ECR Events", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ecr_events.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that deprecated TLS versions are not supported in internet-facing load balancers", "DisplayName": "AWS ELB SSL Policies", "LogTypes": ["AWS.ELBV2.ApplicationLoadBalancer"], "YAMLPath": "policies/aws_load_balancer_policies/aws_alb_ssl_policy.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that ELBV2 load balancer listeners are using an SSL policy.", "DisplayName": "AWS Enforces SSL Policies", "LogTypes": ["AWS.ELBV2.ApplicationLoadBalancer"], "YAMLPath": "policies/aws_load_balancer_policies/aws_elbv2_load_balancer_has_ssl_policy.yml"}, {"AnalysisType": "Rule", "Description": "A critical-severity GuardDuty finding has been identified.", "DisplayName": "AWS GuardDuty Critical Severity Finding", "LogTypes": ["AWS.GuardDuty"], "YAMLPath": "rules/aws_guardduty_rules/aws_guardduty_critical_sev_findings.yml"}, {"AnalysisType": "Policy", "Description": "GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior.", "DisplayName": "AWS GuardDuty Enabled", "LogTypes": ["AWS.GuardDuty.Detector.Meta"], "YAMLPath": "policies/aws_guardduty_policies/aws_guardduty_enabled.yml"}, {"AnalysisType": "Rule", "Description": "A high-severity GuardDuty finding has been identified.", "DisplayName": "AWS GuardDuty High Severity Finding", "LogTypes": ["AWS.GuardDuty"], "YAMLPath": "rules/aws_guardduty_rules/aws_guardduty_high_sev_findings.yml"}, {"AnalysisType": "Rule", "Description": "A low-severity GuardDuty finding has been identified.", "DisplayName": "AWS GuardDuty Low Severity Finding", "LogTypes": ["AWS.GuardDuty"], "YAMLPath": "rules/aws_guardduty_rules/aws_guardduty_low_sev_findings.yml"}, {"AnalysisType": "Policy", "Description": "Ensure that all GuardDuty logs are sending into a single Master account. This is a best practice for centralizing detection logic and useful data during an investigation.", "DisplayName": "AWS GuardDuty Master Account", "LogTypes": ["AWS.GuardDuty.Detector"], "YAMLPath": "policies/aws_guardduty_policies/aws_guardduty_master_account.yml"}, {"AnalysisType": "Rule", "Description": "A medium-severity GuardDuty finding has been identified.", "DisplayName": "AWS GuardDuty Medium Severity Finding", "LogTypes": ["AWS.GuardDuty"], "YAMLPath": "rules/aws_guardduty_rules/aws_guardduty_med_sev_findings.yml"}, {"AnalysisType": "Rule", "Description": "This rule captures multiple read/list events related to IAM group management in AWS Cloudtrail.", "DisplayName": "AWS IAM Group Read Only Events", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_group_read_only_events.yml"}, {"AnalysisType": "Policy", "Description": "This Policy ensures that all IAM groups have at least one IAM user. If they are vacant, they should be deleted.", "DisplayName": "AWS IAM Group Users", "LogTypes": ["AWS.IAM.Group"], "YAMLPath": "policies/aws_iam_policies/aws_iam_group_users.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates IAM users with console passwords have logged in within the past 90 days.", "DisplayName": "AWS IAM Password Unused", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_password_unused.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that there are no IAM policies that grant full administrative privileges to IAM users or groups.", "DisplayName": "AWS IAM Policy Administrative Privileges", "LogTypes": ["AWS.IAM.Policy"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_administrative_privileges.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that there are no IAM policies assigned directly to users. Best practice suggests assigning to an IAM group and placing users within that group.", "DisplayName": "AWS IAM Policy Assigned to User", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_assigned_to_user.yml"}, {"AnalysisType": "Policy", "Description": "This detects the usage of highly permissive IAM Policies that should only be assigned to a small number of users, roles, or groups.", "DisplayName": "AWS IAM Policy Blocklist", "LogTypes": ["AWS.IAM.Group", "AWS.IAM.Role", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_blocklist.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that no IAM policies grant admin access. This should be combined with suppressions on the legitimate IAM admin policies in your account so that it only fires when new and unexpected policies granting admin access are created.", "DisplayName": "AWS IAM Policy Does Not Grant Any Administrative Access", "LogTypes": ["AWS.IAM.Policy"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_does_not_grant_admin_access.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that no IAM policies grant admin privileges on network resources. This should be used in conjunction with suppressions for the legitimate network admin policies in your account.", "DisplayName": "AWS IAM Policy Does Not Grant Network Admin Access", "LogTypes": ["AWS.IAM.Policy"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_does_not_grant_network_admin_access.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that policies that have been explicitly configured to be set to certain roles are still attached to those roles.", "DisplayName": "AWS IAM Policy Role Mapping", "LogTypes": ["AWS.IAM.Policy"], "YAMLPath": "policies/aws_iam_policies/aws_iam_policy_role_mapping.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that no IAM entities have inline policies assigned. Inline policies are more difficult to administer and audit, and may lead to access that lasts longer than intended.", "DisplayName": "AWS IAM Resource Does Not Have Inline Policy", "LogTypes": ["AWS.IAM.Group", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_resource_does_not_have_inline_policy.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM roles that grant the (specified) permission do not allow accounts outside the organization to assume them.", "DisplayName": "AWS IAM Role Grants (permission) to Non-organizational Account", "LogTypes": ["AWS.IAM.Role"], "YAMLPath": "policies/aws_iam_policies/aws_iam_role_external_permission.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM roles in the account are restrictive in what entities may assume them. This can help prevent malicious actors from assuming roles they should not be assuming.", "DisplayName": "AWS IAM Role Restricts Usage", "LogTypes": ["AWS.IAM.Role"], "YAMLPath": "policies/aws_iam_policies/aws_iam_role_restricts_usage.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that IAM roles used with GitHub Actions are securely configured to prevent unauthorized access to AWS resources. It validates trust relationships by checking for proper audience (aud) restrictions, ensuring it is set to sts.amazonaws.com, and subject (sub) conditions, confirming they are scoped to specific repositories or environments. Misconfigurations, such as overly permissive wildcards or missing conditions, can allow unauthorized repositories to assume roles, leading to potential data breaches or compliance violations. By enforcing these checks, the policy mitigates risks of exploitation, enhances security posture, and protects critical AWS resources from external threats.", "DisplayName": "AWS IAM Role Trust Relationship for GitHub Actions", "LogTypes": ["AWS.IAM.Role"], "YAMLPath": "policies/aws_iam_policies/aws_iam_role_github_actions_trust.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all AWS IAM users with access to the AWS Console have Multi-Factor Authentication (MFA) enabled.", "DisplayName": "AWS IAM User MFA ", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_user_mfa.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM users are not in IAM groups that are considered mutually exclusive. For example, in some workflows developers are responsible for dev environments and sysadmins are responsible for prod environments. In this situation no (or very few) users should be in both sysadmin and developer groups. This is in following with the principle of least privilege.", "DisplayName": "AWS IAM User Not In Conflicting Groups", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_user_not_in_conflicting_groups.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that customer master keys (CMKs) have automatic key rotation enabled.", "DisplayName": "AWS KMS CMK Key Rotation", "LogTypes": ["AWS.KMS.Key"], "YAMLPath": "policies/aws_kms_policies/aws_cmk_key_rotation.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that KMS Keys restrict what entities can use them and how. This is to ensure that encryption keys are limited in who can use them in order to prevent unapproved decryption.", "DisplayName": "AWS KMS Key Restricts Usage", "LogTypes": ["AWS.KMS.Key"], "YAMLPath": "policies/aws_kms_policies/aws_kms_key_policy_restricts_usage.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that the function policy attached to the Lambda resource prohibits public access", "DisplayName": "AWS Lambda Public Access", "LogTypes": ["AWS.Lambda.Function"], "YAMLPath": "policies/aws_lambda_policies/aws_lambda_public_access.yml"}, {"AnalysisType": "Rule", "Description": "Amazon Macie is a data security and data privacy service to discover and protect sensitive data. Security teams use Macie to detect open S3 Buckets that could have potentially sensitive data in it along with policy violations, such as missing Encryption. If an attacker disables Macie, it could potentially hide data exfiltration.", "DisplayName": "AWS Macie Disabled/Updated", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_macie_evasion.yml"}, {"AnalysisType": "Rule", "Description": "Detection when EC2 compute infrastructure is modified outside of expected automation methods.", "DisplayName": "AWS Modify Cloud Compute Infrastructure", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_modify_cloud_compute_infrastructure.yml"}, {"AnalysisType": "Rule", "Description": "A Network ACL entry that allows access from anywhere was added.", "DisplayName": "AWS Network ACL Overly Permissive Entry Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Network ACLs restrict inbound traffic in some way.", "DisplayName": "AWS Network ACL Restricts Inbound Traffic", "LogTypes": ["AWS.EC2.NetworkACL"], "YAMLPath": "policies/aws_vpc_policies/aws_network_acl_restricts_inbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Network ACLs block the usage of ports typically associated with insecure or unencrypted protocols.", "DisplayName": "AWS Network ACL Restricts Insecure Protocols", "LogTypes": ["AWS.EC2.NetworkACL"], "YAMLPath": "policies/aws_vpc_policies/aws_network_acl_restricts_insecure_protocols.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Network ACLs have some restrictions on outbound traffic.", "DisplayName": "AWS Network ACL Restricts Outbound Traffic", "LogTypes": ["AWS.EC2.NetworkACL"], "YAMLPath": "policies/aws_vpc_policies/aws_network_acl_restricts_outbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "SSH access should only be granted from protected network CIDR ranges.", "DisplayName": "AWS Network ACL Restricts SSH", "LogTypes": ["AWS.EC2.NetworkACL"], "YAMLPath": "policies/aws_vpc_policies/aws_network_acl_restricted_ssh.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the account password policy enforces the recommended password complexity requirements.", "DisplayName": "AWS Password Policy Complexity Guidelines", "LogTypes": ["AWS.PasswordPolicy"], "YAMLPath": "policies/aws_account_policies/aws_password_policy_complexity_guidelines.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the account password policy enforces a maximum password age of 90 days or less.", "DisplayName": "AWS Password Policy Password Age Limit", "LogTypes": ["AWS.PasswordPolicy"], "YAMLPath": "policies/aws_account_policies/aws_password_policy_password_age_limit.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the account password policy prevents users from re-using previous passwords, and prevents password reuse for 24 or more prior passwords.", "DisplayName": "AWS Password Policy Password Reuse", "LogTypes": ["AWS.PasswordPolicy"], "YAMLPath": "policies/aws_account_policies/aws_password_policy_password_reuse.yml"}, {"AnalysisType": "Rule", "Description": "Identifies when a permission is added to a Lambda function, which could indicate a potential security risk.", "DisplayName": "AWS Potential Backdoor Lambda Function Through Resource-Based Policy", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_backdoor_lambda_function.yml"}, {"AnalysisType": "Scheduled Query", "Description": "A role was assumed by an AWS service, followed by a user within 24 hours. This could indicate a stolen or compromised AWS service role.", "DisplayName": "AWS Potentially Stolen Service Role", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/aws_potentially_compromised_service_role_query.yml"}, {"AnalysisType": "Correlation Rule", "Description": "", "DisplayName": "AWS Privilege Escalation Via User Compromise", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_privilege_escalation_via_user_compromise.yml"}, {"AnalysisType": "Rule", "Description": "Detects the recovery of a new public database instance from a snapshot. It may be part of data exfiltration.", "DisplayName": "AWS Public RDS Restore", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_rds_publicrestore.yml"}, {"AnalysisType": "Policy", "Description": "This Policy ensures that RDS Instances have Backups enabled. Backups are an important aspect of disaster recovery that can protect sensitive data from destruction.", "DisplayName": "AWS RDS Instance Backup", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_backup.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that RDS instances have encryption enabled.", "DisplayName": "AWS RDS Instance Encryption", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_encryption.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that RDS instances are configured with a backup retention period that is acceptable to company policy. This ensures for both compliance and security reasons that records are kept for a minimum period of time, and for compliance and performance reasons that records are not kept indefinitely.", "DisplayName": "AWS RDS Instance Has Acceptable Backup Retention Period", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_backup_retention_acceptable.yml"}, {"AnalysisType": "Policy", "Description": "This Policy ensures that RDS Instances have are running in High Availability mode to provide redundancy in the event of an operational failure. For Aurora, storage is replicated across all the Availability Zones and doesn't require this setting.", "DisplayName": "AWS RDS Instance High Availability", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_high_availability.yml"}, {"AnalysisType": "Policy", "Description": "If you want Amazon RDS to upgrade the DB engine version of a database automatically, you can enable auto minor version upgrades for the database.", "DisplayName": "AWS RDS Instance Minor Version Upgrades", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_auto_minor_version_upgrade_enabled.yml"}, {"AnalysisType": "Policy", "Description": "This Policy checks that an RDS Instance is not accessible from the public internet.", "DisplayName": "AWS RDS Instance Public Access", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_public_access.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that RDS Instance snapshots are not publicly restorable. This would allow anyone to restore an old version of your database and have full access to its contents.", "DisplayName": "AWS RDS Instance Snapshot Public Access", "LogTypes": ["AWS.RDS.Instance"], "YAMLPath": "policies/aws_rds_policies/aws_rds_instance_snapshot_public_access.yml"}, {"AnalysisType": "Rule", "Description": "A manual snapshot of an RDS database was created. An attacker may use this to exfiltrate the DB contents to another account; use this as a correlation rule.", "DisplayName": "AWS RDS Manual/Public Snapshot Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_rds_manual_snapshot_created.yml"}, {"AnalysisType": "Rule", "Description": "A sensitive database operation that should be performed carefully or rarely", "DisplayName": "AWS RDS Master Password Updated", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_rds_master_pass_updated.yml"}, {"AnalysisType": "Rule", "Description": "An RDS snapshot was shared with another account. This could be an indicator of exfiltration.", "DisplayName": "AWS RDS Snapshot Shared", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_rds_snapshot_shared.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Clusters have encryption enabled.", "DisplayName": "AWS Redshift Cluster Encryption", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_encryption.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Cluster snapshot retention periods are set to an appropriate time. This ensures that records are kept long enough for compliance and security reasons, but no too long for compliance and performance reasons.", "DisplayName": "AWS Redshift Cluster Has Acceptable Snapshot Retention Period", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention_acceptable.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Cluster have logging enabled. This includes audit logs.", "DisplayName": "AWS Redshift Cluster Logging", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_logging.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Clusters have the correct preferred maintenance window configured.", "DisplayName": "AWS Redshift Cluster Maintenance Window", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_maintenance_window.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Clusters have sufficient snapshot retention periods, so that snapshots are not lost before they are needed.", "DisplayName": "AWS Redshift Cluster Snapshot Retention", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_snapshot_retention.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Redshift Clusters automatically perform upgrades during scheduled maintenance windows.", "DisplayName": "AWS Redshift Cluster Version Upgrade", "LogTypes": ["AWS.Redshift.Cluster"], "YAMLPath": "policies/aws_redshift_policies/aws_redshift_cluster_version_upgrade.yml"}, {"AnalysisType": "Rule", "Description": "Some AWS resource was made publicly accessible over the internet. Checks ECR, Elasticsearch, KMS, S3, S3 Glacier, SNS, SQS, and Secrets Manager.", "DisplayName": "AWS Resource Made Public", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_resource_made_public.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that applicable resources have a minimum number of tags set.", "DisplayName": "AWS Resource Minimum Tags ", "LogTypes": ["AWS.EC2.Instance", "AWS.EC2.SecurityGroup", "AWS.EC2.VPC", "AWS.IAM.User"], "YAMLPath": "policies/aws_account_policies/aws_resource_minimum_tags.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that AWS resources have specific tags, dependent on their resource type.", "DisplayName": "AWS Resource Required Tags", "LogTypes": ["AWS.EC2.Instance", "AWS.EC2.SecurityGroup", "AWS.EC2.VPC", "AWS.IAM.User"], "YAMLPath": "policies/aws_account_policies/aws_resource_required_tags.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that no programmatic access keys exist for the root account.", "DisplayName": "AWS Root Account Access Keys", "LogTypes": ["AWS.IAM.RootUser"], "YAMLPath": "policies/aws_iam_policies/aws_root_account_access_keys.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that a hardware MFA device is in use for access to the root account.", "DisplayName": "AWS Root Account Hardware MFA", "LogTypes": ["AWS.IAM.RootUser"], "YAMLPath": "policies/aws_iam_policies/aws_root_account_hardware_mfa.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Multi Factor Authentication (MFA) is required for access to the root account.", "DisplayName": "AWS Root Account MFA", "LogTypes": ["AWS.IAM.RootUser"], "YAMLPath": "policies/aws_iam_policies/aws_root_account_mfa.yml"}, {"AnalysisType": "Rule", "Description": "Checks for errors during S3 Object access. This could be due to insufficient access permissions, non-existent buckets, or other reasons.", "DisplayName": "AWS S3 Access Error", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_access_error.yml"}, {"AnalysisType": "Rule", "Description": "Checks that the remote IP accessing the S3 bucket is in the IP allowlist.", "DisplayName": "AWS S3 Access IP Allowlist", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_access_ip_allowlist.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that the S3 bucket policy does not allow any action on the bucket, in accordance with the principal of least privilege.", "DisplayName": "AWS S3 Bucket Action Restrictions", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_action_restrictions.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that the S3 bucket has encryption enabled.", "DisplayName": "AWS S3 Bucket Encryption", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_encryption.yml"}, {"AnalysisType": "Policy", "Description": "Verifies that the S3 Bucket Object Lifecycle configuration expires data within 90 and 365 days.", "DisplayName": "AWS S3 Bucket Lifecycle Configuration", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_lifecycle_configuration.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that a logging policy is set for the S3 bucket.", "DisplayName": "AWS S3 Bucket Logging", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_logging.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that MFA delete is enabled for a bucket so that all objects can only be deleted by users authenticated with MFA.", "DisplayName": "AWS S3 Bucket MFA Delete", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_mfa_delete.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the AWS S3 bucket name is DNS compliant.", "DisplayName": "AWS S3 Bucket Name DNS Compliance", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_name_dns_compliance.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that S3 buckets have an Object Lock configuration enabled. This should be used with specific suppression lists to ensure it is applied only to appropriate S3 buckets, such as those containing CloudTrail or other auditable records.", "DisplayName": "AWS S3 Bucket Object Lock Configured", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_object_lock_configured.yml"}, {"AnalysisType": "Policy", "Description": "Prevents the use of a 'Not' principal in conjunction with an allow effect in an S3 bucket policy, which would allow global access for the resource besides the principals specified.", "DisplayName": "AWS S3 Bucket Policy Allow With Not Principal", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_policy_allow_with_not_principal.yml"}, {"AnalysisType": "Rule", "Description": "An S3 Bucket was modified.", "DisplayName": "AWS S3 Bucket Policy Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_s3_bucket_policy_modified.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that S3 Bucket access policies do not allow all users (Principal:\"*\") for a given action on the bucket, in accordance with the principle of least privilege.", "DisplayName": "AWS S3 Bucket Principal Restrictions", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_principal_restrictions.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that a Public Access Block Configuration is set for the given S3 bucket.", "DisplayName": "AWS S3 Bucket Public Access Block", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_public_access_block.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that the S3 bucket is not publicly readable.", "DisplayName": "AWS S3 Bucket Public Read", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_public_read.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that the S3 bucket is not publicly writeable.", "DisplayName": "AWS S3 Bucket Public Write", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_public_write.yml"}, {"AnalysisType": "Policy", "Description": "Ensures access to S3 buckets is forced to use a secure (HTTPS) connection.", "DisplayName": "AWS S3 Bucket Secure Access", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_secure_access.yml"}, {"AnalysisType": "Policy", "Description": "Checks that object versioning is enabled in the S3 bucket.", "DisplayName": "AWS S3 Bucket Versioning", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_versioning.yml"}, {"AnalysisType": "Rule", "Description": "Checks if HTTP (unencrypted) was used to access objects in an S3 bucket, as opposed to HTTPS (encrypted).", "DisplayName": "AWS S3 Insecure Access", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_insecure_access.yml"}, {"AnalysisType": "Rule", "Description": "Checks for S3 access attempts where the requester is not an authenticated AWS user.", "DisplayName": "AWS S3 Unauthenticated Access", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_unauthenticated_access.yml"}, {"AnalysisType": "Rule", "Description": "Validates that proper IAM entities are accessing sensitive data buckets.", "DisplayName": "AWS S3 Unknown Requester", "LogTypes": ["AWS.S3ServerAccess"], "YAMLPath": "rules/aws_s3_rules/aws_s3_unknown_requester_get_object.yml"}, {"AnalysisType": "Rule", "Description": "Identifies when SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.", "DisplayName": "AWS SAML Activity", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_saml_activity.yml"}, {"AnalysisType": "Rule", "Description": "An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets.", "DisplayName": "AWS Secrets Manager Batch Retrieve Secrets", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_batch.yml"}, {"AnalysisType": "Rule", "Description": "An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets. Although BatchGetSecretValue requires a list of secret IDs or a filter, an attacker may use a catch-all filter to retrieve all secrets by batch. This rule identifies BatchGetSecretValue events with a catch-all filter.", "DisplayName": "AWS Secrets Manager Batch Retrieve Secrets Catch-All", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_catchall.yml"}, {"AnalysisType": "Rule", "Description": "An attacker attempted to retrieve a high number of Secrets Manager secrets by batch, through secretsmanager:BatchGetSecretValue (released Novemeber 2023). An attacker may attempt to retrieve a high number of secrets by batch, to avoid detection and generate fewer calls. Note that the batch size is limited to 20 secrets. This rule identifies BatchGetSecretValue events for multiple regions in a short period of time.", "DisplayName": "AWS Secrets Manager Retrieve Secrets Multi-Region", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets_multiregion.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that only Security Groups designated as DMZs allow inbound traffic from public IP space. This helps ensure no traffic is bypassing the DMZ.", "DisplayName": "AWS Security Group - Only DMZ Publicly Accessible", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_only_dmz_security_groups_publicly_accessible.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that AWS Security Groups don't allow unrestricted inbound traffic on port 3389 or 22, ports commonly used for the remote access protocols RDP and SSH respectively.", "DisplayName": "AWS Security Group Administrative Ingress", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_administrative_ingress.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that are considered part of the PCI CDE do not allow any access from public IP space.", "DisplayName": "AWS Security Group Restricts Access To CDE", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_access_to_cde.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have some restrictions on inbound traffic.", "DisplayName": "AWS Security Group Restricts Inbound Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_inbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have restrictions on inter Security Group traffic. Administrators may assume there is an implicit level of trust between Security Groups in the same account, but this is not always a good assumption in cases one Security Group contains far more sensitive data that another.", "DisplayName": "AWS Security Group Restricts Inter-SG Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_inter_security_group_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have some restrictions on outbound traffic.", "DisplayName": "AWS Security Group Restricts Outbound Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_outbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that there are restrictions on what type of traffic may leave Security Groups that are considered with the scope of the PCI CDE. These restrictions help ensure that cardholder data does not leave the CDE.", "DisplayName": "AWS Security Group Restricts Traffic Leaving CDE", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_restricts_traffic_leaving_cde.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have restrictive permission sets that both limit the total number of open ports, as well as limiting ports typically associated with insecure protocols.", "DisplayName": "AWS Security Group Tightly Restricts Inbound Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_tightly_restricts_inbound_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that Security Groups have restrictive controls on outbound traffic.", "DisplayName": "AWS Security Group Tightly Restricts Outbound Traffic", "LogTypes": ["AWS.EC2.SecurityGroup"], "YAMLPath": "policies/aws_vpc_policies/aws_security_group_tightly_restricts_outbound_traffic.yml"}, {"AnalysisType": "Rule", "Description": "Detections modification of findings in SecurityHub", "DisplayName": "AWS SecurityHub Finding Evasion", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_securityhub_finding_evasion.yml"}, {"AnalysisType": "Rule", "Description": "An AWS storage snapshot was made public.", "DisplayName": "AWS Snapshot Made Public", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_snapshot_made_public.yml"}, {"AnalysisType": "Rule", "Description": "A user is obtaining a list of security software, configurations, defensive tools, and sensors that are in AWS.", "DisplayName": "AWS Software Discovery", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_software_discovery.yml"}, {"AnalysisType": "Correlation Rule", "Description": "When using AWS in an enterprise environment, best practices dictate to use a single sign-on service for identity and access management. AWS SSO is a popular solution, integrating with third-party providers such as Okta and allowing to centrally manage roles and permissions in multiple AWS accounts.In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing \u2013 just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level.", "DisplayName": "AWS SSO Access Token Retrieved by Unauthenticated IP", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_sso_access_token_retrieved_by_unauthenticated_ip.yml"}, {"AnalysisType": "Rule", "Description": "Detects creation and updates of the list of trusted IPs used by GuardDuty and WAF. Potentially to disable security alerts against malicious IPs.", "DisplayName": "AWS Trusted IPSet Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ipset_modified.yml"}, {"AnalysisType": "Rule", "Description": "Monitor application logs for suspicious events including repeated MFA failures that may indicate user's primary credentials have been compromised.", "DisplayName": "AWS Unsuccessful MFA attempt", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_unsuccessful_mfa_attempt.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM user access keys are used at least once every 90 days.", "DisplayName": "AWS Unused Access Key", "LogTypes": ["AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_access_key_unused.yml"}, {"AnalysisType": "Rule", "Description": "Detects AWS API key creation for a user by another user. Backdoored users can be used to obtain persistence in the AWS environment.", "DisplayName": "AWS User API Key Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml"}, {"AnalysisType": "Rule", "Description": "An attacker with iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console. May be legitimate account administration.", "DisplayName": "AWS User Login Profile Created or Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_loginprofilecreatedormodified.yml"}, {"AnalysisType": "Correlation Rule", "Description": "", "DisplayName": "AWS User Takeover Via Password Reset", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_user_takeover_via_password_reset.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the default Network ACL for a given AWS VPC is restricting all inbound and outbound traffic.", "DisplayName": "AWS VPC Default Network ACL Restricts All Traffic", "LogTypes": ["AWS.EC2.VPC"], "YAMLPath": "policies/aws_vpc_policies/aws_vpc_default_network_acl_restricts_all_traffic.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that the default Security Group for a given AWS VPC is restricting all inbound and outbound traffic.", "DisplayName": "AWS VPC Default Security Group Restrictions ", "LogTypes": ["AWS.EC2.VPC"], "YAMLPath": "policies/aws_vpc_policies/aws_vpc_default_security_restrictions.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that AWS VPCs (Virtual Private Clouds) have network flow logging enabled.", "DisplayName": "AWS VPC Flow Logs", "LogTypes": ["AWS.EC2.VPC"], "YAMLPath": "policies/aws_vpc_policies/aws_vpc_flow_logs.yml"}, {"AnalysisType": "Rule", "Description": "Detects when logs for a VPC have been removed.", "DisplayName": "AWS VPC Flow Logs Removed", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Checks for the log status `SKIPDATA`, which indicates that data was lost either to an internal server error or due to capacity constraints.", "DisplayName": "AWS VPC Healthy Log Status", "LogTypes": ["AWS.VPCFlow", "OCSF.NetworkActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_vpc_healthy_log_status.yml"}, {"AnalysisType": "Rule", "Description": "Detection to alert when a WAF disassociates from a source.", "DisplayName": "AWS WAF Disassociation", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_waf_disassociation.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all WAF's have at least one rule with a predicate matching on and blocking XSS attacks.", "DisplayName": "AWS WAF Has XSS Predicate", "LogTypes": ["AWS.WAF.Regional.WebACL", "AWS.WAF.WebACL"], "YAMLPath": "policies/aws_waf_policies/aws_waf_has_xss_predicate.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that AWS WAF logging is enabled and that the logs are being sent to a valid destination (S3, CloudWatch, or Kinesis Firehose). Without logging, visibility into WAF activity is severely limited, increasing the risk of undetected attacks.", "DisplayName": "AWS WAF Logging Configured", "LogTypes": ["AWS.WAF.Regional.WebACL", "AWS.WAF.WebACL"], "YAMLPath": "policies/aws_waf_policies/aws_waf_logging_configured.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that all WAF's have the correct rule ordering. Incorrect rule ordering could lead to less restrictive rules being matched and allowing traffic through before more restrictive rules that should have blocked the traffic.", "DisplayName": "AWS WAF Rule Ordering", "LogTypes": ["AWS.WAF.Regional.WebACL", "AWS.WAF.WebACL"], "YAMLPath": "policies/aws_waf_policies/aws_waf_rule_ordering.yml"}, {"AnalysisType": "Policy", "Description": "This policy ensures that AWS WAF WebACLs are associated with at least one resource (ALB, CloudFront Distribution, or API Gateway). If a WebACL is not associated with any resources, it is inactive and not providing any protection.", "DisplayName": "AWS WAF WebACL Has Associated Resources", "LogTypes": ["AWS.WAF.Regional.WebACL", "AWS.WAF.WebACL"], "YAMLPath": "policies/aws_waf_policies/aws_waf_webacl_has_associated_resources.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Identifies when an Administrative IAM user is creates. This could indicate a potential security breach.", "DisplayName": "AWS.Administrative.IAM.User.Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_create_admin_iam_user.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "AWS.CloudTrail.UserAccessKeyAuth", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_useraccesskeyauth.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for a Azure users inviting external users", "DisplayName": "Azure Invite External Users", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_invite_external_users.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for a number of failed sign-ins for the same ServicePrincipalName or UserPrincipalName", "DisplayName": "Azure Many Failed SignIns", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_failed_signins.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for MFA being disabled in conditional access policy", "DisplayName": "Azure MFA Disabled", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_mfa_disabled.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for policy changes in AuditLogs", "DisplayName": "Azure Policy Changed", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_policy_changed.yml"}, {"AnalysisType": "Rule", "Description": "This detection surfaces an alert based on riskLevelAggregated, riskLevelDuringSignIn, and riskState.riskLevelAggregated and riskLevelDuringSignIn are only expected for Azure AD Premium P2 customers.", "DisplayName": "Azure RiskLevel Passthrough", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_risklevel_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for a change in member's PIM roles in EntraID", "DisplayName": "Azure Role Changed PIM", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_role_changed_pim.yml"}, {"AnalysisType": "Rule", "Description": "This detection looks for Successful Logins that have used legacy authentication protocols", "DisplayName": "Azure SignIn via Legacy Authentication Protocol", "LogTypes": ["Azure.Audit"], "YAMLPath": "rules/azure_signin_rules/azure_legacyauth.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when a user defined list of sensitive items in 1Password is accessed", "DisplayName": "BETA - Sensitive 1Password Item Accessed", "LogTypes": ["OnePassword.ItemUsage"], "YAMLPath": "rules/onepassword_rules/onepassword_lut_sensitive_item_access.yml"}, {"AnalysisType": "Rule", "Description": "A user granted access to their box account to Box technical support from account settings.", "DisplayName": "Box Access Granted", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_access_granted.yml"}, {"AnalysisType": "Rule", "Description": "A user violated the content workflow policy.", "DisplayName": "Box Content Workflow Policy Violation", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_policy_violation.yml"}, {"AnalysisType": "Rule", "Description": "An external user has triggered a box enterprise event.", "DisplayName": "Box event triggered by unknown or external user", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_event_triggered_externally.yml"}, {"AnalysisType": "Rule", "Description": "A user has shared an item and it is accessible to anyone with the share link (internal or external to the company). This rule requires that the boxsdk[jwt] be installed in the environment.", "DisplayName": "Box item shared externally", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_item_shared_externally.yml"}, {"AnalysisType": "Rule", "Description": "A user has exceeded the threshold for number of downloads within a single time frame.", "DisplayName": "Box Large Number of Downloads", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_user_downloads.yml"}, {"AnalysisType": "Rule", "Description": "A user has exceeded the threshold for number of folder permission changes within a single time frame.", "DisplayName": "Box Large Number of Permission Changes", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_user_permission_updates.yml"}, {"AnalysisType": "Rule", "Description": "A user logged in from a new device.", "DisplayName": "Box New Login", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_new_login.yml"}, {"AnalysisType": "Rule", "Description": "A user's download activity has altered significantly.", "DisplayName": "Box Shield Detected Anomalous Download Activity", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_anomalous_download.yml"}, {"AnalysisType": "Rule", "Description": "A user login event or session event was tagged as medium to high severity by Box Shield.", "DisplayName": "Box Shield Suspicious Alert Triggered", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_suspicious_login_or_session.yml"}, {"AnalysisType": "Rule", "Description": "A user attempted to login from an untrusted device.", "DisplayName": "Box Untrusted Device Login", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_untrusted_device.yml"}, {"AnalysisType": "Rule", "Description": "An actor user was denied login access more times than the configured threshold.", "DisplayName": "Brute Force By IP", "LogTypes": ["AWS.CloudTrail", "Asana.Audit", "Atlassian.Audit", "Box.Event", "GSuite.Reports", "Okta.SystemLog", "OneLogin.Events", "OnePassword.SignInAttempt"], "YAMLPath": "rules/standard_rules/brute_force_by_ip.yml"}, {"AnalysisType": "Rule", "Description": "An actor user was denied login access more times than the configured threshold.", "DisplayName": "Brute Force By User", "LogTypes": ["AWS.CloudTrail", "Asana.Audit", "Atlassian.Audit", "Box.Event", "GSuite.Reports", "Okta.SystemLog", "OneLogin.Events", "OnePassword.SignInAttempt"], "YAMLPath": "rules/standard_rules/brute_force_by_user.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user is granted Admin or Super Admin permissions.", "DisplayName": "Carbon Black Admin Role Granted", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_admin_grant.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user creates a new API key or retrieves an existing key.", "DisplayName": "Carbon Black API Key Created or Retrieved", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_api_key_created_retrieved.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user disables or deletes a Data Forwarder.", "DisplayName": "Carbon Black Data Forwarder Stopped", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_data_forwarder_stopped.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Carbon Black has flagged a log as important, such as failed login attempts and locked accounts.", "DisplayName": "Carbon Black Log Entry Flagged", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_flagged.yml"}, {"AnalysisType": "Rule", "Description": "This rule enriches and contextualizes security alerts generated by Carbon Black. The alert title and description are dynamically updated based on data included in the alert log.", "DisplayName": "Carbon Black Passthrough Rule", "LogTypes": ["CarbonBlack.AlertV2"], "YAMLPath": "rules/carbonblack_rules/cb_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user from a different organization is added to Carbon Black.", "DisplayName": "Carbon Black User Added Outside Org", "LogTypes": ["CarbonBlack.Audit"], "YAMLPath": "rules/carbonblack_rules/cb_audit_user_added_outside_org.yml"}, {"AnalysisType": "Rule", "Description": "Monitor blocked domains", "DisplayName": "Cisco Umbrella Domain Blocked", "LogTypes": ["CiscoUmbrella.DNS"], "YAMLPath": "rules/cisco_umbrella_dns_rules/domain_blocked.yml"}, {"AnalysisType": "Rule", "Description": "Identify lookups to suspicious domains that could indicate a phishing attack.", "DisplayName": "Cisco Umbrella Domain Name Fuzzy Matching", "LogTypes": ["CiscoUmbrella.DNS"], "YAMLPath": "rules/cisco_umbrella_dns_rules/fuzzy_matching_domains.yml"}, {"AnalysisType": "Rule", "Description": "Monitor suspicious or known malicious domains", "DisplayName": "Cisco Umbrella Suspicious Domains", "LogTypes": ["CiscoUmbrella.DNS"], "YAMLPath": "rules/cisco_umbrella_dns_rules/suspicious_domains.yml"}, {"AnalysisType": "Rule", "Description": "Monitors for bots making HTTP Requests at a rate higher than 2req/sec", "DisplayName": "Cloudflare Bot High Volume", "LogTypes": ["Cloudflare.HttpRequest"], "YAMLPath": "rules/cloudflare_rules/cloudflare_httpreq_bot_high_volume.yml"}, {"AnalysisType": "Rule", "Description": "Layer 7 Distributed Denial of Service (DDoS) detected", "DisplayName": "Cloudflare L7 DDoS", "LogTypes": ["Cloudflare.Firewall"], "YAMLPath": "rules/cloudflare_rules/cloudflare_firewall_ddos.yml"}, {"AnalysisType": "Rule", "Description": "A CloudTrail instances were stopped. It makes further changes of instances possible", "DisplayName": "CloudTrail EC2 StopInstances", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_stopinstances.yml"}, {"AnalysisType": "Rule", "Description": "A CloudTrail Trail was modified to exclude management events for 1 or more resource types.", "DisplayName": "CloudTrail Event Selectors Disabled", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect password spraying account using a scheduled query", "DisplayName": "CloudTrail Password Spraying", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/cloudtrail_password_spraying.yml"}, {"AnalysisType": "Rule", "Description": "A CloudTrail Trail was modified.", "DisplayName": "CloudTrail Stopped", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_cloudtrail_stopped.yml"}, {"AnalysisType": "Rule", "Description": "An AWS CodeBuild Project was made publicly accessible", "DisplayName": "CodeBuild Project made Public", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_codebuild_made_public.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when a user defined list of sensitive items in 1Password is accessed", "DisplayName": "Configuration Required - Sensitive 1Password Item Accessed", "LogTypes": ["OnePassword.ItemUsage"], "YAMLPath": "rules/onepassword_rules/onepassword_sensitive_item_access.yml"}, {"AnalysisType": "Rule", "Description": "Detection to alert when internal asset is communicating with an sanctioned destination. This detection leverages Panther UDM and IPInfo enrichment.", "DisplayName": "Connection to Embargoed Country", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_connection_to_embargoed_country.yml"}, {"AnalysisType": "Rule", "Description": "A user was assigned a priviledged role", "DisplayName": "Crowdstrike Admin Role Assigned", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_admin_role_assigned.yml"}, {"AnalysisType": "Rule", "Description": "A user deleted an allowlist", "DisplayName": "Crowdstrike Allowlist Removed", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_allowlist_removed.yml"}, {"AnalysisType": "Rule", "Description": "A user created an API Key in CrowdStrike", "DisplayName": "Crowdstrike API Key Created", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_api_key_created.yml"}, {"AnalysisType": "Rule", "Description": "A user deleted an API Key in CrowdStrike", "DisplayName": "Crowdstrike API Key Deleted", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_api_key_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects usage of tools commonly used for credential dumping.", "DisplayName": "Crowdstrike Credential Dumping Tool", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_credential_dumping_tool.yml"}, {"AnalysisType": "Rule", "Description": "Detects the execution of known crytocurrency mining tools.", "DisplayName": "Crowdstrike Cryptomining Tools ", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_cryptomining_tools.yml"}, {"AnalysisType": "Rule", "Description": "Crowdstrike Falcon has detected malicious activity on a host.", "DisplayName": "Crowdstrike Detection Passthrough", "LogTypes": ["Crowdstrike.DetectionSummary", "Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_detection_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "Forwards any alerts generated by CrowdStrike to your Panther destinations.", "DisplayName": "Crowdstrike Detection Summary", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Detects when a user account is created and deleted within 12 hours. This aims to detect ephemeral user accounts infiltrators might use to avoid suspicion.", "DisplayName": "Crowdstrike Ephemeral User Account", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_ephemeral_user_account.yml"}, {"AnalysisType": "Rule", "Description": "Living off the land binaries and script usage", "DisplayName": "Crowdstrike FDR LOLBAS", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_lolbas.yml"}, {"AnalysisType": "Rule", "Description": "Updates were made to Falcon console's allowlist. This could indicate a bad actor permitting access from another machine, or could be attackers preventing legitimate actors from accessing the console.", "DisplayName": "Crowdstrike IP Allowlist Changed", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_ip_allowlist_changed.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects creation of large zip files, which can indicate attempts of exfiltration", "DisplayName": "CrowdStrike Large Zip Creation", "LogTypes": ["Crowdstrike.Unknown"], "YAMLPath": "queries/crowdstrike_queries/CrowdStrike_Large_Zip_Creation.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects creation of large zip files, which can indicate attempts of exfiltration (crowdstrike_fdrevent table)", "DisplayName": "CrowdStrike Large Zip Creation (crowdstrike_fdrevent table)", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "queries/crowdstrike_queries/CrowdStrike_Large_Zip_Creation_FDREvent.yml"}, {"AnalysisType": "Rule", "Description": "Detects attempt to install a root certificate on MacOS", "DisplayName": "CrowdStrike MacOS Added Trusted Cert", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_macos_add_trusted_cert.yml"}, {"AnalysisType": "Rule", "Description": "Detects usage of osascript with administrator privileges", "DisplayName": "CrowdStrike MacOS Osascript as Administrator", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_macos_osascript_administrator.yml"}, {"AnalysisType": "Rule", "Description": "Detects the usage of plutil to modify plist files. Plist files run on start up and are often used by attackers to maintain persistence.", "DisplayName": "CrowdStrike MacOS plutil Usage", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_macos_plutil_usage.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Detects when a user account is created and assigned admin permissions", "DisplayName": "Crowdstrike New Admin User Created", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_admin_user_created.yml"}, {"AnalysisType": "Rule", "Description": "A new Crowdstrike user was created", "DisplayName": "Crowdstrike New User Created", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_new_user_created.yml"}, {"AnalysisType": "Rule", "Description": "Alert when someone uses Crowdstrike\u2019s RTR (real-time response) capability to access a machine remotely to run commands.", "DisplayName": "Crowdstrike Real Time Response (RTS) Session", "LogTypes": ["Crowdstrike.FDREvent", "Crowdstrike.Unknown"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_real_time_response_session.yml"}, {"AnalysisType": "Rule", "Description": "Detects usage of common remote access tools.", "DisplayName": "Crowdstrike Remote Access Tool Execution", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_remote_access_tool_execution.yml"}, {"AnalysisType": "Rule", "Description": "Detects usage of tools commonly used to to establish reverse shells on Windows machines.", "DisplayName": "Crowdstrike Reverse Shell Tool Executed", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_reverse_shell_tool_executed.yml"}, {"AnalysisType": "Rule", "Description": "A single IP (instead of a CIDR range) was allowlisted. This could indicate a bad actor permitting access from another machine.", "DisplayName": "Crowdstrike Single IP Allowlisted", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_single_ip_allowlisted.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user attempts to clear system logs.", "DisplayName": "Crowdstrike Systemlog Tampering", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_systemlog_tampering.yml"}, {"AnalysisType": "Rule", "Description": "Detects unusual parent child process pairings.", "DisplayName": "Crowdstrike Unusual Parent Child Processes", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_unusual_parent_child_processes.yml"}, {"AnalysisType": "Rule", "Description": "Someone has deleted multiple users.", "DisplayName": "Crowdstrike User Deleted", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_user_deleted.yml"}, {"AnalysisType": "Rule", "Description": "A user's password was changed", "DisplayName": "Crowdstrike User Password Changed", "LogTypes": ["Crowdstrike.EventStreams"], "YAMLPath": "rules/crowdstrike_rules/event_stream_rules/crowdstrike_password_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects execution of WMI queries involving information gathering or actions on remote systems, which could indicate reconnaissance or lateral movement.", "DisplayName": "Crowdstrike WMI Query Detection", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_wmi_query_detection.yml"}, {"AnalysisType": "Rule", "Description": "Attackers are exploiting a Critical (CVSS 10.0) GitLab vulnerability in which user account password reset emails could be delivered to an unverified email address.", "DisplayName": "CVE-2023-7028 - GitLab Audit Password Reset Multiple Emails", "LogTypes": ["GitLab.Audit"], "YAMLPath": "rules/gitlab_rules/gitlab_audit_password_reset_multiple_emails.yml"}, {"AnalysisType": "Rule", "Description": "Attackers are exploiting a Critical (CVSS 10.0) GitLab vulnerability in which user account password reset emails could be delivered to an unverified email address.", "DisplayName": "CVE-2023-7028 - GitLab Production Password Reset Multiple Emails", "LogTypes": ["GitLab.Production"], "YAMLPath": "rules/gitlab_rules/gitlab_production_password_reset_multiple_emails.yml"}, {"AnalysisType": "Rule", "Description": "Actor accessed Decoy DynamoDB", "DisplayName": "Decoy DynamoDB Accessed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_dynamodb_accessed.yml"}, {"AnalysisType": "Rule", "Description": "Actor assumed decoy IAM role", "DisplayName": "Decoy IAM Assumed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_iam_assumed.yml"}, {"AnalysisType": "Rule", "Description": "Actor accessed S3 Manager decoy secret", "DisplayName": "Decoy S3 Accessed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_s3_accessed.yml"}, {"AnalysisType": "Rule", "Description": "Actor accessed Secrets Manager decoy secret", "DisplayName": "Decoy Secret Accessed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_secret_accessed.yml"}, {"AnalysisType": "Rule", "Description": "Actor accessed Decoy Systems Manager parameter", "DisplayName": "Decoy Systems Manager Parameter Accessed", "LogTypes": ["AWS.SecurityFindingFormat"], "YAMLPath": "rules/aws_securityfinding_rules/decoy_systems_manager_parameter_accessed.yml"}, {"AnalysisType": "Rule", "Description": "An IAM user has a high volume of access denied API calls.", "DisplayName": "Detect Reconnaissance from IAM Users", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_user_recon_denied.yml"}, {"AnalysisType": "Rule", "Description": "Detection content has been removed from Panther.", "DisplayName": "Detection content has been deleted from Panther", "LogTypes": ["Panther.Audit"], "YAMLPath": "rules/panther_audit_rules/panther_detection_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects DNS queries with Base64 encoded subdomains, which could indicate an attempt to obfuscate data exfil.", "DisplayName": "DNS Base64 Encoded Query", "LogTypes": ["AWS.VPCDns", "CiscoUmbrella.DNS", "Crowdstrike.FDREvent"], "YAMLPath": "rules/standard_rules/standard_dns_base64.yml"}, {"AnalysisType": "Rule", "Description": "A DNS request was made to a domain on an explicit denylist", "DisplayName": "DNS request to denylisted domain", "LogTypes": ["Crowdstrike.DNSRequest", "Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_dns_request.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when an admin starts a sign-in-as session.", "DisplayName": "Dropbox Admin sign-in-as Session", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_admin_sign_in_as_session.yml"}, {"AnalysisType": "Rule", "Description": "Dropbox ownership of a document or folder has been transferred.", "DisplayName": "Dropbox Document/Folder Ownership Transfer", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_ownership_transfer.yml"}, {"AnalysisType": "Rule", "Description": "Dropbox item shared externally", "DisplayName": "Dropbox External Share", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_external_share.yml"}, {"AnalysisType": "Rule", "Description": "An application was linked to your Dropbox Account", "DisplayName": "Dropbox Linked Team Application Added", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_linked_team_application_added.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Dropbox Many Deletes", "DisplayName": "Dropbox Many Deletes", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "queries/dropbox_queries/Dropbox_Many_Deletes_Query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Dropbox Many Downloads", "DisplayName": "Dropbox Many Downloads", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "queries/dropbox_queries/Dropbox_Many_Downloads_Query.yml"}, {"AnalysisType": "Rule", "Description": "Dropbox user has disabled 2fa login", "DisplayName": "Dropbox User Disabled 2FA", "LogTypes": ["Dropbox.TeamEvent"], "YAMLPath": "rules/dropbox_rules/dropbox_user_disabled_2fa.yml"}, {"AnalysisType": "Rule", "Description": "An administrator viewed a Secret Key for an Application Integration", "DisplayName": "Duo Admin App Integration Secret Key Viewed", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_app_integration_secret_key_viewed.yml"}, {"AnalysisType": "Rule", "Description": "A Duo administrator created an MFA bypass code for an application.", "DisplayName": "Duo Admin Bypass Code Created", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_bypass_code_created.yml"}, {"AnalysisType": "Rule", "Description": "An administrator viewed the MFA bypass code for a user.", "DisplayName": "Duo Admin Bypass Code Viewed", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_bypass_code_viewed.yml"}, {"AnalysisType": "Rule", "Description": "A new Duo Administrator was created.", "DisplayName": "Duo Admin Create Admin", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_create_admin.yml"}, {"AnalysisType": "Rule", "Description": "Alert when a duo administrator is locked out of their account.", "DisplayName": "Duo Admin Lockout", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_lockout.yml"}, {"AnalysisType": "Rule", "Description": "A Duo push was marked fraudulent by an admin.", "DisplayName": "Duo Admin Marked Push Fraudulent", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_marked_push_fraudulent.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to allowed MFA factors administrators can use to log into the admin panel.", "DisplayName": "Duo Admin MFA Restrictions Updated", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_mfa_restrictions_updated.yml"}, {"AnalysisType": "Rule", "Description": "Identifies creation of new Admin API integrations for Duo.", "DisplayName": "Duo Admin New Admin API App Integration", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_new_admin_api_app_integration.yml"}, {"AnalysisType": "Rule", "Description": "A Duo Administrator updated a Policy, which governs how users authenticate.", "DisplayName": "Duo Admin Policy Updated", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_policy_updated.yml"}, {"AnalysisType": "Rule", "Description": "Detects when SAML Authentication for Administrators is marked as Disabled or Optional.", "DisplayName": "Duo Admin SSO SAML Requirement Disabled", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_sso_saml_requirement_disabled.yml"}, {"AnalysisType": "Rule", "Description": "An Administrator enabled a user to authenticate without MFA.", "DisplayName": "Duo Admin User MFA Bypass Enabled", "LogTypes": ["Duo.Administrator"], "YAMLPath": "rules/duo_rules/duo_admin_user_mfa_bypass_enabled.yml"}, {"AnalysisType": "Rule", "Description": "Alert when a user reports a Duo action as fraudulent.", "DisplayName": "Duo User Action Reported as Fraudulent", "LogTypes": ["Duo.Authentication"], "YAMLPath": "rules/duo_rules/duo_user_action_fraudulent.yml"}, {"AnalysisType": "Rule", "Description": "A Duo authentication was denied due to an anomalous 2FA push.", "DisplayName": "Duo User Auth Denied For Anomalous Push", "LogTypes": ["Duo.Authentication"], "YAMLPath": "rules/duo_rules/duo_user_anomalous_push.yml"}, {"AnalysisType": "Rule", "Description": "A Duo user's bypass code was used to authenticate", "DisplayName": "Duo User Bypass Code Used", "LogTypes": ["Duo.Authentication"], "YAMLPath": "rules/duo_rules/duo_user_bypass_code_used.yml"}, {"AnalysisType": "Rule", "Description": "A Duo user's authentication was denied due to a suspicious error on the endpoint", "DisplayName": "Duo User Denied For Endpoint Error", "LogTypes": ["Duo.Authentication"], "YAMLPath": "rules/duo_rules/duo_user_endpoint_failure_multi.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 Network ACL was modified.", "DisplayName": "EC2 Network ACL Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 Network Gateway was modified.", "DisplayName": "EC2 Network Gateway Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 Route Table was modified.", "DisplayName": "EC2 Route Table Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml"}, {"AnalysisType": "Rule", "Description": "An attacker attempted to retrieve a high number of Secrets Manager secrets, through secretsmanager:GetSecretValue.", "DisplayName": "EC2 Secrets Manager Retrieve Secrets", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_secretsmanager_retrieve_secrets.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 Security Group was modified.", "DisplayName": "EC2 Security Group Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml"}, {"AnalysisType": "Rule", "Description": "An EC2 VPC was modified.", "DisplayName": "EC2 VPC Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml"}, {"AnalysisType": "Rule", "Description": "Unauthorized ECR Create, Read, Update, or Delete event occurred.", "DisplayName": "ECR CRUD Actions", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_ecr_crud.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects anonymous API requests made to the Kubernetes API server. In production environments, anonymous access should be disabled to prevent unauthorized access to the API server.", "DisplayName": "EKS Anonymous API Access Detected", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "rules/aws_eks_rules/anonymous_api_access.yml"}, {"AnalysisType": "Rule", "Description": "This detection identifies if a public sourceIP is generating multiple 403s with the Kubernetes API server.", "DisplayName": "EKS Audit Log based single sourceIP is generating multiple 403s", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "rules/aws_eks_rules/source_ip_multiple_403.yml"}, {"AnalysisType": "Rule", "Description": "This detection identifies if an activity is recorded in the Kubernetes audit log where the user:username attribute begins with \"system:\" or \"eks:\" and the requests originating IP Address is a Public IP Address", "DisplayName": "EKS Audit Log Reporting system Namespace is Used From A Public IP", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "rules/aws_eks_rules/system_namespace_public_ip.yml"}, {"AnalysisType": "Rule", "Description": "User enabled or disabled zendesk support user assumption.", "DisplayName": "Enabled Zendesk Support to Assume Users", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_user_assumption.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when users exec into pod. Possible to specify specific projects and allowed users.", "DisplayName": "Exec into Pod", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_exec_into_pod.yml"}, {"AnalysisType": "Rule", "Description": "Detects the execution of common command line tools (e.g., PowerShell, cmd.exe) with Base64 encoded arguments, which could indicate an attempt to obfuscate malicious commands.", "DisplayName": "Execution of Command Line Tool with Base64 Encoded Arguments", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "rules/crowdstrike_rules/crowdstrike_base64_encoded_args.yml"}, {"AnalysisType": "Rule", "Description": "An employee shared a sensitive file externally with another organization", "DisplayName": "External GSuite File Share", "LogTypes": ["GSuite.Reports"], "YAMLPath": "rules/gsuite_reports_rules/gsuite_drive_external_share.yml"}, {"AnalysisType": "Rule", "Description": "A Root console login failed.", "DisplayName": "Failed Root Console Login", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_root_login_failed.yml"}, {"AnalysisType": "Rule", "Description": "GCP Access Attempts Violating IAP Access Controls", "DisplayName": "GCP Access Attempts Violating IAP Access Controls", "LogTypes": ["GCP.HTTPLoadBalancer"], "YAMLPath": "rules/gcp_http_lb_rules/gcp_access_attempts_violating_iap_access_controls.yml"}, {"AnalysisType": "Rule", "Description": "An access attempt violating VPC service controls (such as Perimeter controls) has been made.", "DisplayName": "GCP Access Attempts Violating VPC Service Controls", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_access_attempts_violating_vpc_service_controls.yml"}, {"AnalysisType": "Rule", "Description": "Detect any BigQuery query that is doing a very large scan (> 1 GB).", "DisplayName": "GCP BigQuery Large Scan", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_bigquery_large_scan.yml"}, {"AnalysisType": "Rule", "Description": "Detects creation of new Cloud Run Service, which, if configured maliciously, may be part of the attack aimed to invoke the service and retrieve the access token.", "DisplayName": "GCP Cloud Run Service Created", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloud_run_service_created.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Detects run.services.create method for privilege escalation in GCP. The exploit creates a new Cloud Run Service that, when invoked, returns the Service Account's access token by accessing the metadata API of the server it is running on.", "DisplayName": "GCP Cloud Run Service Created FOLLOWED BY Set IAM Policy", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "correlation_rules/gcp_cloud_run_service_create_followed_by_set_iam_policy.yml"}, {"AnalysisType": "Rule", "Description": "Detects new roles granted to users to Cloud Run Services. This could potentially allow the user to perform actions within the project and its resources, which could pose a security risk.", "DisplayName": "GCP Cloud Run Set IAM Policy", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloud_run_set_iam_policy.yml"}, {"AnalysisType": "Rule", "Description": "Detects GCP cloud storage bucket updates and deletes.", "DisplayName": "GCP Cloud Storage Buckets Modified Or Deleted", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloud_storage_buckets_modified_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects privilege escalation attacks designed to gain access to the Cloud Build Service Account. A user with permissions to start a new build with Cloud Build can gain access to the Cloud Build Service Account and abuse it for more access to the environment.", "DisplayName": "GCP CloudBuild Potential Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloudbuild_potential_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.", "DisplayName": "GCP cloudfunctions functions create", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloudfunctions_functions_create.yml"}, {"AnalysisType": "Rule", "Description": "The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.", "DisplayName": "GCP cloudfunctions functions update", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_cloudfunctions_functions_update.yml"}, {"AnalysisType": "Rule", "Description": "Detects compute.instances.create method for privilege escalation in GCP.", "DisplayName": "GCP compute.instances.create Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_computeinstances_create_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "A Gmail account is being used instead of a corporate email", "DisplayName": "GCP Corporate Email Not Used", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_corp_email.yml"}, {"AnalysisType": "Rule", "Description": "Detect any destructive BigQuery queries or jobs such as update, delete, drop, alter or truncate.", "DisplayName": "GCP Destructive Queries", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_destructive_queries.yml"}, {"AnalysisType": "Rule", "Description": "Detection for GCP DNS zones that are deleted, patched, or updated.", "DisplayName": "GCP DNS Zone Modified or Deleted", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations of GCP firewall rules.", "DisplayName": "GCP Firewall Rule Created", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_firewall_rule_created.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects deletions of GCP firewall rules.", "DisplayName": "GCP Firewall Rule Deleted", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_firewall_rule_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects modifications to GCP firewall rules.", "DisplayName": "GCP Firewall Rule Modified", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_firewall_rule_modified.yml"}, {"AnalysisType": "Rule", "Description": "Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket.", "DisplayName": "GCP GCS IAM Permission Changes", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_gcs_iam_changes.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitor for any modifications or creations of a cron job in GKE. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence.", "DisplayName": "GCP GKE Kubernetes Cron Job Created Or Modified", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_cron_job_created_or_modified.yml"}, {"AnalysisType": "Rule", "Description": "A custom role has been created, deleted, or updated.", "DisplayName": "GCP IAM Role Has Changed", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_custom_role_changes.yml"}, {"AnalysisType": "Rule", "Description": "The Identity and Access Management (IAM) service manages authorization and authentication for a GCP environment. This means that there are very likely multiple privilege escalation methods that use the IAM service and/or its permissions.", "DisplayName": "GCP IAM serviceAccounts getAccessToken Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_service_accounts_get_access_token_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "The iam.serviceAccounts.signBlob permission \"allows signing of arbitrary payloads\" in GCP. This means we can create a signed blob that requests an access token from the Service Account we are targeting.", "DisplayName": "GCP IAM serviceAccounts signBlob", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_service_accounts_sign_blob.yml"}, {"AnalysisType": "Rule", "Description": "Detects iam.serviceAccounts.signJwt method for privilege escalation in GCP. This method works by signing well-formed JSON web tokens (JWTs). The script for this method will sign a well-formed JWT and request a new access token belonging to the Service Account with it.", "DisplayName": "GCP IAM serviceAccounts.signJwt Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_serviceaccounts_signjwt.yml"}, {"AnalysisType": "Rule", "Description": "If your user is assigned a custom IAM role, then iam.roles.update will allow you to update the \u201cincludedPermissons\u201d on that role. Because it is assigned to you, you will gain the additional privileges, which could be anything you desire.", "DisplayName": "GCP iam.roles.update Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_roles_update_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "GCP Inbound SSO Profile Created", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_inbound_sso_profile_created_or_updated.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitors for any kubernetes API Request originating from an Indicator of Compromise.", "DisplayName": "GCP K8s IOCActivity", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_ioc_activity.yml"}, {"AnalysisType": "Rule", "Description": "Detects Daemonset creation in GCP Kubernetes clusters.", "DisplayName": "GCP K8s New Daemonset Deployed", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_new_daemonset_deployed.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections.", "DisplayName": "GCP K8s Pod Attached To Node Host Network", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_pod_attached_to_node_host_network.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement.", "DisplayName": "GCP K8S Pod Create Or Modify Host Path Volume Mount", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_pod_create_or_modify_host_path_vol_mount.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host\u2019s processes. This can offer a powerful escape hatch to the underlying host.", "DisplayName": "GCP K8s Pod Using Host PID Namespace", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_pod_using_host_pid_namespace.yml"}, {"AnalysisType": "Rule", "Description": "Alerts when a user creates privileged pod. These particular pods have full access to the host\u2019s namespace and devices, have the ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks. In the event of a successful container escape where a user is operating with root privileges, the attacker retains this role on the node.", "DisplayName": "GCP K8S Privileged Pod Created", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_privileged_pod_created.yml"}, {"AnalysisType": "Rule", "Description": "This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.", "DisplayName": "GCP K8S Service Type NodePort Deployed", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_k8s_rules/gcp_k8s_service_type_node_port_deployed.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects deletions of GCP Log Buckets or Sinks.", "DisplayName": "GCP Log Bucket or Sink Deleted", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_log_bucket_or_sink_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects any changes made to logging settings", "DisplayName": "GCP Logging Settings Modified", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_logging_settings_modified.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects modifications to GCP Log Sinks.", "DisplayName": "GCP Logging Sink Modified", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_logging_sink_modified.yml"}, {"AnalysisType": "Rule", "Description": "Alert if a GCP Org or Folder Policy Was Changed Manually.", "DisplayName": "GCP Org or Folder Policy Was Changed Manually", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_org_folder_changes.yml"}, {"AnalysisType": "Rule", "Description": "Permissions granted to impersonate a service account. This includes predefined service account IAM roles granted at the parent project, folder or organization-level.", "DisplayName": "GCP Permissions Granted to Create or Manage Service Account Key", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_permissions_granted_to_create_or_manage_service_account_key.yml"}, {"AnalysisType": "Rule", "Description": "Adversaries may create cloud instances in unused geographic service regions in order to evade detection.", "DisplayName": "GCP Resource in Unused Region", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_unused_regions.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects deletions of GCP Log Buckets or Sinks.", "DisplayName": "GCP Service Account Access Denied", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_service_account_access_denied.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a service account or key is created manually by a user instead of an automated workflow.", "DisplayName": "GCP Service Account or Keys Created ", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_service_account_or_keys_created.yml"}, {"AnalysisType": "Rule", "Description": "Detects serviceusage.apiKeys.create method for privilege escalation in GCP. By default, API Keys are created with no restrictions, which means they have access to the entire GCP project they were created in. We can capitalize on that fact by creating a new API key that may have more privileges than our own user.", "DisplayName": "GCP serviceusage.apiKeys.create Privilege Escalation", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_serviceusage_apikeys_create_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "Monitoring changes to Sql Instance configuration may reduce time to detect and correct misconfigurations done on sql server.", "DisplayName": "GCP SQL Config Changes", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_sql_config_changes.yml"}, {"AnalysisType": "Rule", "Description": "There is a feature of Cloud Storage, \u201cinteroperability\u201d, that provides a way for Cloud Storage to interact with storage offerings from other cloud providers, like AWS S3. As part of that, there are HMAC keys that can be created for both Service Accounts and regular users. We can escalate Cloud Storage permissions by creating an HMAC key for a higher-privileged Service Account.", "DisplayName": "GCP storage hmac keys create", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_storage_hmac_keys_create.yml"}, {"AnalysisType": "Rule", "Description": "A user has been granted access to a IAP protected service.", "DisplayName": "GCP User Added to IAP Protected Service", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_user_added_to_iap_protected_service.yml"}, {"AnalysisType": "Rule", "Description": "A user was added to a group with special previleges", "DisplayName": "GCP User Added to Privileged Group", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_user_added_to_privileged_group.yml"}, {"AnalysisType": "Rule", "Description": "VPC flow logs were disabled for a subnet.", "DisplayName": "GCP VPC Flow Logs Disabled", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_vpc_flow_logs_disabled.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "GCP Workforce Pool Created or Updated", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_workforce_pool_created_or_updated.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "GCP Workload Identity Pool Created or Updated", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_workload_identity_pool_created_or_updated.yml"}, {"AnalysisType": "Rule", "Description": "If your user is assigned a custom IAM role, then iam.roles.update will allow you to update the \u201cincludedPermissons\u201d on that role. Because it is assigned to you, you will gain the additional privileges, which could be anything you desire.", "DisplayName": "GCP.Iam.ServiceAccountKeys.Create", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_iam_service_account_key_create.yml"}, {"AnalysisType": "Rule", "Description": "Detects privilege escalation in GCP by taking over the deploymentsmanager.deployments.create permission", "DisplayName": "GCP.Privilege.Escalation.By.Deployments.Create", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_privilege_escalation_by_deployments_create.yml"}, {"AnalysisType": "Rule", "Description": "Adversaries may access data objects from improperly secured cloud storage.", "DisplayName": "GCS Bucket Made Public", "LogTypes": ["GCP.AuditLog"], "YAMLPath": "rules/gcp_audit_rules/gcp_gcs_public.yml"}, {"AnalysisType": "Rule", "Description": "A monitored github action has failed.", "DisplayName": "GitHub Action Failed", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_action_failed.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Identifies when advances security change was made not to archive a repo. Eliminates false positives in the Advances Security Change Rule when the repo is archived.", "DisplayName": "GitHub Advanced Security Change WITHOUT Repo Archived", "LogTypes": ["GitHub.Audit"], "YAMLPath": "correlation_rules/github_advanced_security_change_not_followed_by_repo_archived.yml"}, {"AnalysisType": "Rule", "Description": "Disabling branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.", "DisplayName": "GitHub Branch Protection Disabled", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_branch_protection_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Bypassing branch protection controls could indicate malicious use of admin credentials in an attempt to hide activity.", "DisplayName": "GitHub Branch Protection Policy Override", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_branch_policy_override.yml"}, {"AnalysisType": "Rule", "Description": "Creates an alert if a dependabot alert is dismissed without being fixed.", "DisplayName": "GitHub Dependabot Vulnerability Dismissed", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_vulnerability_dismissed.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to GitHub org authentication changes.", "DisplayName": "GitHub Org Authentication Method Changed", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_org_auth_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to a GitHub Org IP Allow List", "DisplayName": "GitHub Org IP Allow List modified", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_org_ip_allowlist.yml"}, {"AnalysisType": "Rule", "Description": "An application integration was installed to your organization's Github account by someone in your organization.", "DisplayName": "Github Organization App Integration Installed", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_organization_app_integration_installed.yml"}, {"AnalysisType": "Rule", "Description": "A public Github repository was created.", "DisplayName": "Github Public Repository Created", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_public_repository_created.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a repository is archived.", "DisplayName": "GitHub Repository Archived", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_archived.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a repository collaborator is added or removed.", "DisplayName": "GitHub Repository Collaborator Change", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_collaborator_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a repository is created.", "DisplayName": "GitHub Repository Created", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_created.yml"}, {"AnalysisType": "Rule", "Description": "Disabling repository ruleset controls could indicate malicious use of admin credentials in an attempt to hide activity.", "DisplayName": "GitHub Repository Ruleset Modified", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_ruleset_modified.yml"}, {"AnalysisType": "Rule", "Description": "A user accepted a request to receive a transferred Github repository, a Github repository was transferred to another repository network, or a user sent a request to transfer a repository to another user or organization.", "DisplayName": "Github Repository Transfer", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repository_transfer.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an organization repository visibility changes.", "DisplayName": "GitHub Repository Visibility Change", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_visibility_change.yml"}, {"AnalysisType": "Rule", "Description": "GitHub detected a secret and created a secret scanning alert.", "DisplayName": "GitHub Secret Scanning Alert Created", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_secret_scanning_alert_created.yml"}, {"AnalysisType": "Rule", "Description": "The rule alerts when GitHub Security tools (Dependabot, Secret Scanner, etc) are disabled.", "DisplayName": "GitHub Security Change, includes GitHub Advanced Security", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_advanced_security_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a team is modified in some way, such as adding a new team, deleting a team, modifying members, or a change in repository control.", "DisplayName": "GitHub Team Modified", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_team_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a GitHub user access key is created.", "DisplayName": "GitHub User Access Key Created", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_user_access_key_created.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user is added or removed from a GitHub Org.", "DisplayName": "GitHub User Added or Removed from Org", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_org_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user is added to a GitHub org's list of moderators.", "DisplayName": "GitHub User Added to Org Moderators", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_org_moderators_add.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user initially accesses a private organization repository.", "DisplayName": "GitHub User Initial Access to Private Repo", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_repo_initial_access.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a GitHub user role is upgraded to an admin or downgraded to a member", "DisplayName": "GitHub User Role Updated", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_user_role_updated.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a webhook is added, modified, or deleted", "DisplayName": "GitHub Web Hook Modified", "LogTypes": ["GitHub.Audit"], "YAMLPath": "rules/github_rules/github_webhook_modified.yml"}, {"AnalysisType": "Rule", "Description": "Google accessed one of your GSuite resources directly, most likely in response to a support incident.", "DisplayName": "Google Accessed a GSuite Resource", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_google_access.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Scheduled rule for the High Google Drive Download Count query which looks for incidents of more than 10 (tunable) downloads by a user in the past day.", "DisplayName": "Google Drive High Download Count", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "queries/gsuite_queries/gsuite_drive_many_docs_downloaded.yml"}, {"AnalysisType": "Rule", "Description": "A Google Workspace administrator created a new custom administrator role.", "DisplayName": "Google Workspace Admin Custom Role", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_admin_custom_role.yml"}, {"AnalysisType": "Rule", "Description": "Your organization's Google Workspace Advanced Protection Program settings were modified.", "DisplayName": "Google Workspace Advanced Protection Program", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_advanced_protection_program.yml"}, {"AnalysisType": "Rule", "Description": "Google Workspace Marketplace application allowlist settings were modified.", "DisplayName": "Google Workspace Apps Marketplace Allowlist", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_allowlist.yml"}, {"AnalysisType": "Rule", "Description": "A Google Workspace User configured a new domain application from the Google Workspace Apps Marketplace.", "DisplayName": "Google Workspace Apps Marketplace New Domain Application", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_apps_marketplace_new_domain_application.yml"}, {"AnalysisType": "Rule", "Description": "A new mobile application was added to your organization's mobile apps whitelist in Google Workspace Apps.", "DisplayName": "Google Workspace Apps New Mobile App Installed", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/google_workspace_apps_new_mobile_app_installed.yml"}, {"AnalysisType": "Rule", "Description": "A User or Admin Has Modified A Calendar To Be Public", "DisplayName": "GSuite Calendar Has Been Made Public", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_calendar_made_public.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported a suspicious activity on a user's device.", "DisplayName": "GSuite Device Suspicious Activity", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_mobile_device_suspicious_activity.yml"}, {"AnalysisType": "Rule", "Description": "A GSuite document's ownership was transferred to an external party.", "DisplayName": "GSuite Document External Ownership Transfer", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_doc_ownership_transfer.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Scheduled rule for the GSuite Drive Many Documents Deleted query. Looks for users who have deleted more than 10 (tunable) documents the past day.", "DisplayName": "GSuite Drive Many Documents Deleted", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "queries/gsuite_queries/gsuite_drive_many_docs_deleted.yml"}, {"AnalysisType": "Rule", "Description": "A Google drive resource became externally accessible.", "DisplayName": "GSuite External Drive Document", "LogTypes": ["GSuite.Reports"], "YAMLPath": "rules/gsuite_reports_rules/gsuite_drive_visibility_change.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported that it detected a government backed attack against your account.", "DisplayName": "GSuite Government Backed Attack", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_gov_attack.yml"}, {"AnalysisType": "Rule", "Description": "A login of a non-approved type was detected for this user.", "DisplayName": "GSuite Login Type", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_login_type.yml"}, {"AnalysisType": "Rule", "Description": "A user has configured mail forwarding to an external domain", "DisplayName": "Gsuite Mail forwarded to external domain", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_external_forwarding.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Query to search for a user deleting many documents.", "DisplayName": "GSuite Many Docs Deleted Query", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "queries/gsuite_queries/GSuite_Many_Docs_Deleted_Query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Query to search high document download counts by users.", "DisplayName": "GSuite Many Docs Downloaded Query", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "queries/gsuite_queries/GSuite_Many_Docs_Downloaded_Query.yml"}, {"AnalysisType": "Rule", "Description": "A Google drive resource that is overly visible has been modified.", "DisplayName": "GSuite Overly Visible Drive Document", "LogTypes": ["GSuite.Reports"], "YAMLPath": "rules/gsuite_reports_rules/gsuite_drive_overly_visible.yml"}, {"AnalysisType": "Rule", "Description": "A GSuite rule was triggered.", "DisplayName": "GSuite Passthrough Rule Triggered", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_passthrough_rule.yml"}, {"AnalysisType": "Rule", "Description": "A user disabled advanced protection for themselves.", "DisplayName": "GSuite User Advanced Protection Change", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_advanced_protection.yml"}, {"AnalysisType": "Rule", "Description": "A GSuite user was banned from an enterprise group by moderator action.", "DisplayName": "GSuite User Banned from Group", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_group_banned_user.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported a user's device has been compromised.", "DisplayName": "GSuite User Device Compromised", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_mobile_device_compromise.yml"}, {"AnalysisType": "Rule", "Description": "Someone failed to unlock a user's device multiple times in quick succession.", "DisplayName": "GSuite User Device Unlock Failures", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_mobile_device_screen_unlock_fail.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported a user's password has been compromised, so they disabled the account.", "DisplayName": "GSuite User Password Leaked", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_leaked_password.yml"}, {"AnalysisType": "Rule", "Description": "A GSuite user was suspended, the account may have been compromised by a spam network.", "DisplayName": "GSuite User Suspended", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_user_suspended.yml"}, {"AnalysisType": "Rule", "Description": "A user disabled two step verification for themselves.", "DisplayName": "GSuite User Two Step Verification Change", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_two_step_verification.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Changed The Sharing Settings for Primary Calendars", "DisplayName": "GSuite Workspace Calendar External Sharing Setting Change", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_calendar_external_sharing.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Created a Data Export", "DisplayName": "GSuite Workspace Data Export Has Been Created", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_data_export_created.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Modified A Default Routing Rule In Gmail", "DisplayName": "GSuite Workspace Gmail Default Routing Rule Modified", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_gmail_default_routing_rule.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Disabled Pre-Delivery Scanning For Gmail.", "DisplayName": "GSuite Workspace Gmail Pre-Delivery Message Scanning Disabled", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_gmail_enhanced_predelivery_scanning.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Disabled The Security Sandbox", "DisplayName": "GSuite Workspace Gmail Security Sandbox Disabled", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_gmail_security_sandbox_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Enabled Password Reuse", "DisplayName": "GSuite Workspace Password Reuse Has Been Enabled", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_password_reuse_enabled.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Disabled The Enforcement Of Strong Passwords", "DisplayName": "GSuite Workspace Strong Password Enforcement Has Been Disabled", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_password_enforce_strong_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Workspace Admin Has Modified The Trusted Domains List", "DisplayName": "GSuite Workspace Trusted Domain Allowlist Modified", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_workspace_trusted_domains_allowlist.yml"}, {"AnalysisType": "Rule", "Description": "An IAM role policy was attached with Administrator Access, which could indicate a potential security risk.", "DisplayName": "IAM Administrator Role Policy Attached", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_attach_admin_role_policy.yml"}, {"AnalysisType": "Rule", "Description": "A user assumed a role that was explicitly blocklisted for manual user assumption.", "DisplayName": "IAM Assume Role Blocklist Ignored", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml"}, {"AnalysisType": "Rule", "Description": "A change occurred in the IAM configuration. This could be a resource being created, deleted, or modified. This is a high level view of changes, helfpul to indicate how dynamic a certain IAM environment is.", "DisplayName": "IAM Change", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_anything_changed.yml"}, {"AnalysisType": "Rule", "Description": "An IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly.", "DisplayName": "IAM Entity Created Without CloudFormation", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml"}, {"AnalysisType": "Policy", "Description": "This policy validates that IAM entities (Groups, Roles, and Users) do not have inline policies attached that grant network admin privileges. Inline policies are more difficult to track and audit than managed policies, and can lead to persistent unexpected access.", "DisplayName": "IAM Inline Policy Network Admin", "LogTypes": ["AWS.IAM.Group", "AWS.IAM.Role", "AWS.IAM.User"], "YAMLPath": "policies/aws_iam_policies/aws_iam_inline_policy_does_not_grant_network_admin_access.yml"}, {"AnalysisType": "Rule", "Description": "An IAM Policy was changed.", "DisplayName": "IAM Policy Modified", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_policy_modified.yml"}, {"AnalysisType": "Rule", "Description": "An IAM role was created.", "DisplayName": "IAM Role Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_create_role.yml"}, {"AnalysisType": "Rule", "Description": "An IAM role policy was updated to allow internet access, which could indicate a backdoor.", "DisplayName": "IAM Role Policy Updated to Allow Internet Access", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_backdoor_role.yml"}, {"AnalysisType": "Rule", "Description": "An IAM user was created, which could indicate a new user creation or policy update.", "DisplayName": "IAM User Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_create_user.yml"}, {"AnalysisType": "Rule", "Description": "An IAM user policy was attached with Administrator Access, which could indicate a potential security risk.", "DisplayName": "IAM User Policy Attached with Administrator Access", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_iam_attach_admin_user_policy.yml"}, {"AnalysisType": "Rule", "Description": "A user has subsequent logins from two geographic locations that are very far apart", "DisplayName": "Impossible Travel for Login Action", "LogTypes": ["AWS.CloudTrail", "Asana.Audit", "Notion.AuditLogs", "Okta.SystemLog"], "YAMLPath": "rules/standard_rules/impossible_travel_login.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any kubernetes API Request originating from an Indicator of Compromise.", "DisplayName": "IOC Activity in K8 Control Plane", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_ioc_activity_query.yml"}, {"AnalysisType": "Rule", "Description": "A KMS Customer Managed Key was disabled or scheduled for deletion. This could potentially lead to permanent loss of encrypted data.", "DisplayName": "KMS CMK Disabled or Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_kms_cmk_loss.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitor for any modifications or creations of a cron job. Attackers may create or modify an existing scheduled job in order to achieve cluster persistence.", "DisplayName": "Kubernetes Cron Job Created or Modified", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_cron_job_created_or_modified_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any pod created in pre-configured or default namespaces. Only Cluster Admins should be creating pods in the kube-system namespace, and it is best practice not to run any cluster critical infrastructure here. The kube-public namespace is intended to be readable by unauthenticated users. The default namespace is shipped with the cluster and it is best practice not to deploy production workloads here. These namespaces may be used to evade defenses or hide attacker infrastructure.", "DisplayName": "Kubernetes Pod Created in Pre-Configured or Default Name Spaces", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_in_default_name_space_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any kubernetes service deployed with type node port. A Node Port service allows an attacker to expose a set of pods hosting the service to the internet by opening their port and redirecting traffic here. This can be used to bypass network controls and intercept traffic, creating a direct line to the outside network.", "DisplayName": "Kubernetes Service with Type Node Port Deployed", "LogTypes": [], "YAMLPath": "queries/kubernetes_queries/kubernetes_service_type_node_port_deployed_query.yml"}, {"AnalysisType": "Rule", "Description": "Unauthorized lambda Create, Read, Update, or Delete event occurred.", "DisplayName": "Lambda CRUD Actions", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_lambda_crud.yml"}, {"AnalysisType": "Rule", "Description": "Identifies when the code of a Lambda function is updated, which could indicate a potential security risk.", "DisplayName": "Lambda Update Function Code", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_overwrite_lambda_code.yml"}, {"AnalysisType": "Rule", "Description": "Identifies when a Lambda function configuration is updated with layers, which could indicate a potential security risk.", "DisplayName": "Lambda Update Function Configuration with Layers", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_add_malicious_lambda_extension.yml"}, {"AnalysisType": "Rule", "Description": "A console login was made without multi-factor authentication.", "DisplayName": "Logins Without MFA", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_login_without_mfa.yml"}, {"AnalysisType": "Rule", "Description": "An AWS console login was made without SAML/SSO.", "DisplayName": "Logins Without SAML", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_login_without_saml.yml"}, {"AnalysisType": "Rule", "Description": "The application level firewall blocks unwanted network connections made to your computer from other computers on your network.", "DisplayName": "MacOS ALF is misconfigured", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_application_firewall.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects processes that contain known browser credential files in arguments.", "DisplayName": "MacOS Browser Credential Access", "LogTypes": [], "YAMLPath": "queries/crowdstrike_queries/MacOS_Browser_Credential_Access.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Detects processes that contain known browser credential files in arguments. (crowdstrike_fdrevent table)", "DisplayName": "MacOS Browser Credential Access (crowdstrike_fdrevent table)", "LogTypes": ["Crowdstrike.FDREvent"], "YAMLPath": "queries/crowdstrike_queries/MacOS_Browser_Credential_Access_FDREvent.yml"}, {"AnalysisType": "Rule", "Description": "A Key Logger has potentially been detected on a macOS system", "DisplayName": "MacOS Keyboard Events", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_osx_attacks_keyboard_events.yml"}, {"AnalysisType": "Rule", "Description": "Malware has potentially been detected on a macOS system", "DisplayName": "macOS Malware Detected with osquery", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_osx_attacks.yml"}, {"AnalysisType": "Rule", "Description": "Box has detect malicious content, such as a virus.", "DisplayName": "Malicious Content Detected", "LogTypes": ["Box.Event"], "YAMLPath": "rules/box_rules/box_malicious_content.yml"}, {"AnalysisType": "Rule", "Description": "The rule looks for DNS requests to sites potentially posing as SSO domains.", "DisplayName": "Malicious SSO DNS Lookup", "LogTypes": ["CiscoUmbrella.DNS", "Crowdstrike.DNSRequest", "Crowdstrike.FDREvent", "Suricata.DNS", "Zeek.DNS"], "YAMLPath": "rules/standard_rules/malicious_sso_dns_lookup.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Multi-Factor Authentication (MFA) is disabled", "DisplayName": "MFA Disabled", "LogTypes": ["Atlassian.Audit", "GitHub.Audit", "Okta.SystemLog", "Zendesk.Audit"], "YAMLPath": "rules/standard_rules/mfa_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user creates email forwarding rules to external organizations in Microsoft Exchange Online. This can indicate data exfiltration attempts, where an attacker sets up forwarding to collect emails outside the organization. The rule detects both mailbox forwarding (Set-Mailbox) and inbox rules (New-InboxRule).The detection includes: 1. External organization forwarding based on domain comparison 2. Suspicious forwarding patterns like: - Forwarding without keeping a copy - Deleting messages after forwarding - Stopping rule processing after forwarding3. Multiple forwarding destinations 4. Various forwarding methods (SMTP, redirect, forward as attachment)", "DisplayName": "Microsoft Exchange External Forwarding", "LogTypes": ["Microsoft365.Audit.Exchange"], "YAMLPath": "rules/microsoft_rules/microsoft_exchange_external_forwarding.yml"}, {"AnalysisType": "Rule", "Description": "The Microsoft Graph security API federates queries to all onboarded security providers, including Azure AD Identity Protection, Microsoft 365, Microsoft Defender (Cloud, Endpoint, Identity) and Microsoft Sentinel", "DisplayName": "Microsoft Graph Passthrough", "LogTypes": ["MicrosoftGraph.SecurityAlert"], "YAMLPath": "rules/microsoft_rules/microsoft_graph_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "A Microsoft365 user was denied login access several times", "DisplayName": "Microsoft365 Brute Force Login by User", "LogTypes": ["Microsoft365.Audit.AzureActiveDirectory"], "YAMLPath": "rules/microsoft_rules/microsoft365_brute_force_login_by_user.yml"}, {"AnalysisType": "Rule", "Description": "Document shared externally", "DisplayName": "Microsoft365 External Document Sharing", "LogTypes": ["Microsoft365.Audit.SharePoint"], "YAMLPath": "rules/microsoft_rules/microsoft365_external_sharing.yml"}, {"AnalysisType": "Rule", "Description": "A user's MFA has been removed", "DisplayName": "Microsoft365 MFA Disabled", "LogTypes": ["Microsoft365.Audit.AzureActiveDirectory"], "YAMLPath": "rules/microsoft_rules/microsoft365_mfa_disabled.yml"}, {"AnalysisType": "Rule", "Description": "2FA was disabled.", "DisplayName": "MongoDB 2FA Disabled", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_2fa_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Atlas only allows client connections to the database deployment from entries in the project's IP access list. This rule detects when 0.0.0.0/0 is added to that list, which allows access from anywhere.", "DisplayName": "MongoDB access allowed from anywhere", "LogTypes": ["MongoDB.ProjectEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_access_allowed_from_anywhere.yml"}, {"AnalysisType": "Rule", "Description": "A MongoDB Atlas api key's access list was updated", "DisplayName": "MongoDB Atlas API Key Created", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_atlas_api_key_created.yml"}, {"AnalysisType": "Rule", "Description": "An external user has been invited to a MongoDB org.", "DisplayName": "MongoDB External User Invited", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_external_user_invited.yml"}, {"AnalysisType": "Rule", "Description": "An external user has been invited to a MongoDB org (no config).", "DisplayName": "MongoDB External User Invited (no config)", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_external_user_invited_no_config.yml"}, {"AnalysisType": "Rule", "Description": "Changes to identity provider settings are privileged activities that should be carefully audited. Attackers may add or change IDP integrations to gain persistence to environments", "DisplayName": "MongoDB Identity Provider Activity", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_identity_provider_activity.yml"}, {"AnalysisType": "Rule", "Description": "MongoDB logging toggled", "DisplayName": "MongoDB logging toggled", "LogTypes": ["MongoDB.ProjectEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_logging_toggled.yml"}, {"AnalysisType": "Rule", "Description": "You can configure Atlas to require API access lists at the organization level. When you enable IP access list for the Atlas Administration API, all API calls in that organization must originate from a valid entry in the associated Atlas Administration API key access list. This rule detects when IP access list is disabled", "DisplayName": "MongoDB org membership restriction disabled", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_org_membership_restriction_disabled.yml"}, {"AnalysisType": "Rule", "Description": "MongoDB provides security alerting policies for notifying admins when certain conditions are met. This rule detects when these policies are disabled or deleted.", "DisplayName": "MongoDB security alerts disabled or deleted", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_alerting_disabled.yml"}, {"AnalysisType": "Rule", "Description": "User roles changed.", "DisplayName": "MongoDB user roles changed", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_user_roles_changed.yml"}, {"AnalysisType": "Rule", "Description": "User was created or deleted.", "DisplayName": "MongoDB user was created or deleted", "LogTypes": ["MongoDB.OrganizationEvent"], "YAMLPath": "rules/mongodb_rules/mongodb_user_created_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "An unauthorized AWS API call was made", "DisplayName": "Monitor Unauthorized API Calls", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_unauthorized_api_call.yml"}, {"AnalysisType": "Rule", "Description": "A user deleted a large number of objects in a short period of time.", "DisplayName": "Netskope Many Objects Deleted", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_many_deletes.yml"}, {"AnalysisType": "Rule", "Description": "Many unauthorized API calls were observed for a user in a short period of time.", "DisplayName": "Netskope Many Unauthorized API Calls", "LogTypes": ["Netskope.Audit"], "YAMLPath": "rules/netskope_rules/netskope_unauthorized_api_calls.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a new admission controller being created in the cluster. Admission controllers allows an attack to intercept all API requests made within a cluster, allowing for enumeration of resources and common actions. This can be a very powerful tool to understand where to pivot to next.", "DisplayName": "New Admission Controller Created", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_admission_controller_created_query.yml"}, {"AnalysisType": "Rule", "Description": "A new AWS account was created", "DisplayName": "New AWS Account Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/indicator_creation_rules/new_aws_account_logging.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a new DaemonSet deployed to a kubernetes cluster. A daemonset is a workload that guarantees the presence of exactly one instance of a specific pod on every node in the cluster. This can be a very powerful tool for establishing peristence.", "DisplayName": "New DaemonSet Deployed to Kubernetes", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_new_daemonset_deployed_query.yml"}, {"AnalysisType": "Rule", "Description": "A console password, access key, or user has been created.", "DisplayName": "New IAM Credentials Updated", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_update_credentials.yml"}, {"AnalysisType": "Rule", "Description": "A new account was created", "DisplayName": "New User Account Created", "LogTypes": ["AWS.CloudTrail", "OneLogin.Events", "Zoom.Operation"], "YAMLPath": "rules/indicator_creation_rules/new_user_account_logging.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User exported audit logs for your organization\u2019s workspace.", "DisplayName": "Notion Audit Log Exported", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_workspace_audit_log_exported.yml"}, {"AnalysisType": "Correlation Rule", "Description": "A Notion User logged in then changed their account details.", "DisplayName": "Notion Login FOLLOWED BY AccountChange", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "correlation_rules/notion_login_followed_by_account_change.yml"}, {"AnalysisType": "Rule", "Description": "A user attempted to access Notion from a blocked IP address. Note: before deployinh, make sure to add Rule Filters checking if event.ip_address is in a certain CIDR range(s).", "DisplayName": "Notion Login From Blocked IP", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_login_from_blocked_ip.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User logged in from a new location.", "DisplayName": "Notion Login from New Location", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_login_from_new_location.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "A Notion User deleted multiple pages, which were not created or restored from the trash within the same hour.", "DisplayName": "Notion Many Pages Deleted", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "queries/notion_queries/notion_many_pages_deleted_sched.yml"}, {"AnalysisType": "Scheduled Query", "Description": "A Notion User deleted multiple pages, which were not created or restored from the trash within the same hour.", "DisplayName": "Notion Many Pages Deleted Query", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "queries/notion_queries/notion_many_pages_deleted_query.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User exported multiple pages.", "DisplayName": "Notion Many Pages Exported", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_many_pages_exported.yml"}, {"AnalysisType": "Rule", "Description": "A new API integration was added to a Notion page, or it's permissions were changed.", "DisplayName": "Notion Page API Permissions Changed", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_page_accessible_to_api.yml"}, {"AnalysisType": "Rule", "Description": "The external guest permissions for a Notion page have been altered.", "DisplayName": "Notion Page Guest Permissions Changed", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_page_accessible_to_guests.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User published a page to the web.", "DisplayName": "Notion Page Published to Web", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_page_shared_to_web.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User changed settings to enforce SAML SSO configurations for your organization.", "DisplayName": "Notion SAML SSO Configuration Changed", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_workspace_settings_enforce_saml_sso_config_updated.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User generated a SCIM token.", "DisplayName": "Notion SCIM Token Generated", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_scim_token_generated.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User enabled sharing for a Workspace or Teamspace.", "DisplayName": "Notion Sharing Settings Updated", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_sharing_settings_updated.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User was added as a Teamspace owner.", "DisplayName": "Notion Teamspace Owner Added", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_teamspace_owner_added.yml"}, {"AnalysisType": "Rule", "Description": "A Notion User exported an existing workspace.", "DisplayName": "Notion Workspace Exported", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_workspace_exported.yml"}, {"AnalysisType": "Rule", "Description": "A Notion page was set to public in your worksace.", "DisplayName": "Notion Workspace public page added", "LogTypes": ["Notion.AuditLogs"], "YAMLPath": "rules/notion_rules/notion_workspace_settings_public_homepage_added.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Audit instances of admin access granted in your okta tenant", "DisplayName": "Okta Admin Access Granted", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_admin_access_granted.yml"}, {"AnalysisType": "Rule", "Description": "A user has been granted administrative privileges in Okta", "DisplayName": "Okta Admin Role Assigned", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_admin_role_assigned.yml"}, {"AnalysisType": "Rule", "Description": "Okta FastPass detected a user targeted by attackers wielding real-time (AiTM) proxies.", "DisplayName": "Okta AiTM Phishing Attempt Blocked by FastPass", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_phishing_attempt_blocked_by_fastpass.yml"}, {"AnalysisType": "Rule", "Description": "A user created an API Key in Okta", "DisplayName": "Okta API Key Created", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_api_key_created.yml"}, {"AnalysisType": "Rule", "Description": "A user has revoked an API Key in Okta", "DisplayName": "Okta API Key Revoked", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_api_key_revoked.yml"}, {"AnalysisType": "Rule", "Description": "When a client wants to renew an access token, it sends the refresh token with the access token request to the /token Okta endpoint.Okta validates the incoming refresh token, issues a new set of tokens and invalidates the refresh token that was passed with the initial request.This detection alerts when a previously used refresh token is used again with the token request", "DisplayName": "Okta App Refresh Access Token Reuse", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_app_refresh_access_token_reuse.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a user is denied access to an Okta application", "DisplayName": "Okta App Unauthorized Access Attempt", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_app_unauthorized_access_attempt.yml"}, {"AnalysisType": "Rule", "Description": "An application admin has extracted cleartext user passwords via SCIM app. Malcious actors can extract plaintext passwords by creating a SCIM application under their control and configuring it to sync passwords from Okta.", "DisplayName": "Okta Cleartext Passwords Extracted via SCIM Application", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_password_extraction_via_scim.yml"}, {"AnalysisType": "Rule", "Description": "Detect when an admin role is assigned to a group", "DisplayName": "Okta Group Admin Role Assigned", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_group_admin_role_assigned.yml"}, {"AnalysisType": "Saved Query", "Description": "https://sec.okta.com/harfiles", "DisplayName": "Okta HAR File IOCs", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_harfile_iocs.yml"}, {"AnalysisType": "Rule", "Description": "A new 3rd party Identity Provider has been created or modified. Attackers have been observed configuring a second Identity Provider to act as an \"impersonation app\" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a \u201csource\u201d IdP in an inbound federation relationship (sometimes called \u201cOrg2Org\u201d) with the target.", "DisplayName": "Okta Identity Provider Created or Modified", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_idp_create_modify.yml"}, {"AnalysisType": "Rule", "Description": "A user has signed in using a 3rd party Identity Provider. Attackers have been observed configuring a second Identity Provider to act as an \"impersonation app\" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a \u201csource\u201d IdP in an inbound federation relationship (sometimes called \u201cOrg2Org\u201d) with the target. From this \u201csource\u201d IdP, the threat actor manipulated the username parameter for targeted users in the second \u201csource\u201d Identity Provider to match a real user in the compromised \u201ctarget\u201d Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user. Do not use this rule if your organization uses legitimate 3rd-party Identity Providers.", "DisplayName": "Okta Identity Provider Sign-in", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_idp_signin.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Investigate Password and MFA resets for the last 7 days", "DisplayName": "Okta Investigate MFA and Password resets", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_mfa_password_reset_audit.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Search for activity related to a specific SessionID in Okta panther_logs.okta_systemlog", "DisplayName": "Okta Investigate Session ID Activity", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_session_id_audit.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Audit user activity across your environment. Customize to filter on specific users, time ranges, etc", "DisplayName": "Okta Investigate User Activity", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_activity_audit.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Okta Logins from an IP Address not found in CrowdStrike's AIP List", "DisplayName": "Okta Login From CrowdStrike Unmanaged Device", "LogTypes": ["Crowdstrike.AIDMaster", "Okta.SystemLog"], "YAMLPath": "queries/crowdstrike_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_Query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Okta Logins from an IP Address not found in CrowdStrike's AIP List (crowdstrike_fdrevent table)", "DisplayName": "Okta Login From CrowdStrike Unmanaged Device (crowdstrike_fdrevent table)", "LogTypes": ["Crowdstrike.FDREvent", "Okta.SystemLog"], "YAMLPath": "queries/okta_queries/Okta_Login_From_CrowdStrike_Unmanaged_Device_FDREvent.yml"}, {"AnalysisType": "Rule", "Description": "An admin user has disabled the MFA requirement for your Okta account", "DisplayName": "Okta MFA Globally Disabled", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_admin_disabled_mfa.yml"}, {"AnalysisType": "Rule", "Description": "New Behaviors Observed while Accessing Okta Admin Console. A user attempted to access the Okta Admin Console from a new device with a new IP.", "DisplayName": "Okta New Behaviors Acessing Admin Console", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_new_behavior_accessing_admin_console.yml"}, {"AnalysisType": "Rule", "Description": "An Okta Org2Org application has been created or modified. Okta's Org2Org applications instances are used to push and match users from one Okta organization to another. A malicious actor can add an Org2Org application instance and create a user in the source organization (controlled by the attacker) with the same identifier as a Super Administrator in the target organization.", "DisplayName": "Okta Org2Org application created of modified", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_org2org_creation_modification.yml"}, {"AnalysisType": "Rule", "Description": "User accessed another user's application password", "DisplayName": "Okta Password Accessed", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_password_accessed.yml"}, {"AnalysisType": "Rule", "Description": "This rule looks for the same session being used from two devices, indicating a compromised session token.", "DisplayName": "Okta Potentially Stolen Session", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_potentially_stolen_session.yml"}, {"AnalysisType": "Rule", "Description": "Potential DoS/Bruteforce attack or hitting limits (system degradation)", "DisplayName": "Okta Rate Limits", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_rate_limits.yml"}, {"AnalysisType": "Rule", "Description": "A user is attempting to sign-in to Okta from a known VPN anonymizer. The threat actor would access the compromised account using anonymizing proxy services.", "DisplayName": "Okta Sign-In from VPN Anonymizer", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_anonymizing_vpn_login.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Show instances that Okta support was granted to your account", "DisplayName": "Okta Support Access", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_support_access.yml"}, {"AnalysisType": "Rule", "Description": "An admin user has granted access to Okta Support to your account", "DisplayName": "Okta Support Access Granted", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_account_support_access.yml"}, {"AnalysisType": "Rule", "Description": "A Password or MFA factor was reset by Okta Support", "DisplayName": "Okta Support Reset Credential", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_support_reset.yml"}, {"AnalysisType": "Rule", "Description": "Okta ThreatInsight identified request from potentially malicious IP address", "DisplayName": "Okta ThreatInsight Security Threat Detected", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_threatinsight_security_threat_detected.yml"}, {"AnalysisType": "Rule", "Description": "An Okta user has locked their account.", "DisplayName": "Okta User Account Locked", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_account_locked.yml"}, {"AnalysisType": "Rule", "Description": "Suspend factor or authenticator enrollment method for user.", "DisplayName": "Okta User MFA Factor Suspend", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_mfa_factor_suspend.yml"}, {"AnalysisType": "Rule", "Description": "User has reset one of their own MFA factors", "DisplayName": "Okta User MFA Own Reset", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_mfa_reset.yml"}, {"AnalysisType": "Rule", "Description": "All MFA factors have been reset for a user.", "DisplayName": "Okta User MFA Reset All", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_mfa_reset_all.yml"}, {"AnalysisType": "Rule", "Description": "Suspicious Activity Reporting provides an end user with the option to report unrecognized activity from an account activity email notification.This detection alerts when a user marks the raised activity as suspicious.", "DisplayName": "Okta User Reported Suspicious Activity", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "rules/okta_rules/okta_user_reported_suspicious_activity.yml"}, {"AnalysisType": "Saved Query", "Description": "On October 30, 2024, a vulnerability was internally identified in generating the cache key for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password. Under a specific set of conditions, listed below, this could allow users to authenticate by providing the username with the stored cache key of a previous successful authentication. Customers meeting the pre-conditions should investigate their Okta System Log for unexpected authentications from usernames greater than 52 characters between the period of July 23rd, 2024 to October 30th, 2024. https://trust.okta.com/security-advisories/okta-ad-ldap-delegated-authentication-username/", "DisplayName": "Okta Username Above 52 Characters Security Advisory", "LogTypes": ["Okta.SystemLog"], "YAMLPath": "queries/okta_queries/okta_52_char_username_threat_hunt.yml"}, {"AnalysisType": "Rule", "Description": "Multiple user accounts logged in from the same ip address.", "DisplayName": "OneLogin Active Login Activity", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_active_login_activity.yml"}, {"AnalysisType": "Rule", "Description": "A user removed an authentication factor or otp device.", "DisplayName": "OneLogin Authentication Factor Removed", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_remove_authentication_factor.yml"}, {"AnalysisType": "Rule", "Description": "A OneLogin attempt with a high risk factor (>50) resulted in a failed authentication.", "DisplayName": "OneLogin Failed High Risk Login", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_high_risk_failed_login.yml"}, {"AnalysisType": "Correlation Rule", "Description": "A OneLogin user successfully logged in after a failed high-risk login attempt.", "DisplayName": "OneLogin High Risk Failed Login FOLLOWED BY Successful Login", "LogTypes": ["OneLogin.Events"], "YAMLPath": "correlation_rules/onelogin_successful_login_after_high_risk_failed_login.yml"}, {"AnalysisType": "Rule", "Description": "Possible Denial of Service detected. Threshold for user account deletions exceeded.", "DisplayName": "OneLogin Multiple Accounts Deleted", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_threshold_accounts_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Possible Denial of Service detected. Threshold for user account password changes exceeded.", "DisplayName": "OneLogin Multiple Accounts Modified", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_threshold_accounts_modified.yml"}, {"AnalysisType": "Rule", "Description": "User accessed another user's application password", "DisplayName": "OneLogin Password Access", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_password_accessed.yml"}, {"AnalysisType": "Rule", "Description": "A OneLogin user was denied access to an app more times than the configured threshold.", "DisplayName": "OneLogin Unauthorized Access", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_unauthorized_access.yml"}, {"AnalysisType": "Rule", "Description": "User assumed another user account", "DisplayName": "OneLogin User Assumed Another User", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_user_assumed.yml"}, {"AnalysisType": "Rule", "Description": "User locked or suspended from their account.", "DisplayName": "OneLogin User Locked", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_user_account_locked.yml"}, {"AnalysisType": "Rule", "Description": "A user password was updated.", "DisplayName": "OneLogin User Password Changed", "LogTypes": ["OneLogin.Events"], "YAMLPath": "rules/onelogin_rules/onelogin_password_changed.yml"}, {"AnalysisType": "Rule", "Description": "Keep track of osquery versions, current is 5.10.2.", "DisplayName": "Osquery Agent Outdated", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_outdated.yml"}, {"AnalysisType": "Rule", "Description": "Check if SSH is listening in a non-production environment. This could be an indicator of persistent access within an environment.", "DisplayName": "OSQuery Detected SSH Listener", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_ssh_listener.yml"}, {"AnalysisType": "Rule", "Description": "Monitor for chrome extensions that could lead to a credential compromise.", "DisplayName": "OSQuery Detected Unwanted Chrome Extensions", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_unwanted_chrome_extensions.yml"}, {"AnalysisType": "Rule", "Description": "Verifies that MacOS has automatic software updates enabled.", "DisplayName": "OSQuery Reports Application Firewall Disabled", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_mac_enable_auto_update.yml"}, {"AnalysisType": "Rule", "Description": "Checks if any results are returned for the Osquery OSSEC Rootkit pack.", "DisplayName": "OSSEC Rootkit Detected via Osquery", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_ossec.yml"}, {"AnalysisType": "Rule", "Description": "An Admin has modified Panther's SAML configuration.", "DisplayName": "Panther SAML configuration has been modified", "LogTypes": ["Panther.Audit"], "YAMLPath": "rules/panther_audit_rules/panther_saml_modified.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitor for the creation of pods which are attached to the host's network. This allows a pod to listen to all network traffic for all deployed computer on that particular node and communicate with other compute on the network namespace. Attackers can use this to capture secrets passed in arguments or connections.", "DisplayName": "Pod attached to the Node Host Network", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_attached_to_node_host_network_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any pod creation or modification using the host IPC Namespace. Deploying pods in the Host IPC Namespace, breaks isolation between the pod and the underlying host meaning the pod has direct access to the same IPC objects and communications channels as the host system.", "DisplayName": "Pod Created or Modified Using the Host IPC Namespace", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_using_host_ipc_namespace_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any pod creation or modification using the host PID namespace. The Host PID namespace enables a pod and its containers to have direct access and share the same view as of the host\u2019s processes. This can offer a powerful escape hatch to the underlying host.", "DisplayName": "Pod Created or Modified Using the Host PID Namespace", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_using_host_pid_namespace_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a pod created with overly permissive linux capabilities. Excessive pod permissions and capabilities can be a launch point for privilege escalation or container breakout.", "DisplayName": "Pod Created with Overly Permissive Linux Capabilities", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_overly_permissive_linux_capabilities_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for pod creation with a hostPath volume mount. The attachment to a node's volume can allow for privilege escalation through underlying vulnerabilities or it can open up possibilities for data exfiltration or unauthorized file access. It is very rare to see this being a pod requirement.", "DisplayName": "Pod creation or modification to a Host Path Volume Mount", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_pod_create_or_modify_host_path_vol_mount_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a privileged pod is created either by default or with permissions to run as root. These particular pods have full access to the hosts namespace and devices, ability to exploit the kernel, have dangerous linux capabilities, and can be a powerful launching point for further attacks.", "DisplayName": "Privileged Pod Created", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_privileged_pod_created_query.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security App Banner Acknowledged", "LogTypes": ["PushSecurity.Activity"], "YAMLPath": "rules/push_security_rules/push_security_app_banner_acknowledged.yml"}, {"AnalysisType": "Rule", "Description": "Login to application with unauthorized identity provider which could indicate a SAMLjacking attack.", "DisplayName": "Push Security Authorized IdP Login", "LogTypes": ["PushSecurity.Activity"], "YAMLPath": "rules/push_security_rules/push_security_authorized_idp_login.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security New App Detected", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_new_app_detected.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security New SaaS Account Created", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_new_saas_account_created.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security Open Security Finding", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_open_security_finding.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security Phishable MFA Method", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_phishable_mfa_method.yml"}, {"AnalysisType": "Rule", "Description": "", "DisplayName": "Push Security Phishing Attack", "LogTypes": ["PushSecurity.Controls"], "YAMLPath": "rules/push_security_rules/push_security_phishing_attack.yml"}, {"AnalysisType": "Rule", "Description": "MFA method on SaaS app changed", "DisplayName": "Push Security SaaS App MFA Method Changed", "LogTypes": ["PushSecurity.Entities"], "YAMLPath": "rules/push_security_rules/push_security_mfa_method_changed.yml"}, {"AnalysisType": "Rule", "Description": "Login to application with unauthorized identity provider which could indicate a SAMLjacking attack.", "DisplayName": "Push Security Unauthorized IdP Login", "LogTypes": ["PushSecurity.Activity"], "YAMLPath": "rules/push_security_rules/push_security_unauthorized_idp_login.yml"}, {"AnalysisType": "Scheduled Query", "Description": "RoleAssumes with multiple Useragents could indicate compromised credentials.", "DisplayName": "RoleAssumes by Multiple Useragents", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "queries/aws_queries/anomalous_role_assume_query.yml"}, {"AnalysisType": "Rule", "Description": "An access key was created for the Root account", "DisplayName": "Root Account Access Key Created", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_root_access_key_created.yml"}, {"AnalysisType": "Rule", "Description": "Root account activity was detected.", "DisplayName": "Root Account Activity", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_root_activity.yml"}, {"AnalysisType": "Rule", "Description": "The root account has been logged into.", "DisplayName": "Root Console Login", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_console_root_login.yml"}, {"AnalysisType": "Rule", "Description": "Someone manually changed the Root console login password.", "DisplayName": "Root Password Changed", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_root_password_changed.yml"}, {"AnalysisType": "Rule", "Description": "A S3 Bucket, Policy, or Website was deleted", "DisplayName": "S3 Bucket Deleted", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_s3_bucket_deleted.yml"}, {"AnalysisType": "Policy", "Description": "Ensures that S3 bucket policies with service principals include conditions to prevent the confused deputy problem.", "DisplayName": "S3 Bucket Policy Confused Deputy Protection for Service Principals", "LogTypes": ["AWS.S3.Bucket"], "YAMLPath": "policies/aws_s3_policies/aws_s3_bucket_policy_confused_deputy.yml"}, {"AnalysisType": "Rule", "Description": "Salesforce detection that alerts when an admin logs in as another user.", "DisplayName": "Salesforce Admin Login As User", "LogTypes": ["Salesforce.LoginAs"], "YAMLPath": "rules/salesforce_rules/salesforce_admin_login_as_user.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for a large number of secrets requests by a single user. This could potentially indicate secret enumeration, which can potentially enable lateral or vertical movement and unauthorized access to critical resources.", "DisplayName": "Secret Enumeration by a User", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_secret_enumeration_query.yml"}, {"AnalysisType": "Correlation Rule", "Description": "The rule detects when a GitHub Secret Scan detects an exposed secret, which is not followed by the expected quarantine operation in AWS. When you make a repository public, or push changes to a public repository, GitHub always scans the code for secrets that match partner patterns. Public packages on the npm registry are also scanned. If secret scanning detects a potential secret, we notify the service provider who issued the secret. The service provider validates the string and then decides whether they should revoke the secret, issue a new secret, or contact you directly. Their action will depend on the associated risks to you or them.", "DisplayName": "Secret Exposed and not Quarantined", "LogTypes": ["AWS.CloudTrail", "GitHub.Audit"], "YAMLPath": "correlation_rules/secret_exposed_and_not_quarantined.yml"}, {"AnalysisType": "Policy", "Description": "AWS automatically performs server-side encryption of logs, but you can encrypt with your own CMK to protect extra sensitive log data.", "DisplayName": "Sensitive AWS CloudWatch Log Encryption", "LogTypes": ["AWS.CloudWatch.LogGroup"], "YAMLPath": "policies/aws_cloudwatch_policies/aws_cloudwatch_loggroup_sensitive_encrypted.yml"}, {"AnalysisType": "Rule", "Description": "SentinelOne Alert Passthrough", "DisplayName": "SentinelOne Alert Passthrough", "LogTypes": ["SentinelOne.Activity"], "YAMLPath": "rules/sentinelone_rules/sentinelone_alert_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "Passthrough SentinelOne Threats", "DisplayName": "SentinelOne Threats", "LogTypes": ["SentinelOne.Activity"], "YAMLPath": "rules/sentinelone_rules/sentinelone_threats.yml"}, {"AnalysisType": "Rule", "Description": "Detects when an entity signs in from a nation associated with cyber attacks", "DisplayName": "Sign In from Rogue State", "LogTypes": ["AWS.CloudTrail", "Asana.Audit", "Atlassian.Audit", "Azure.Audit", "Box.Event", "Notion.AuditLogs", "Okta.SystemLog", "OneLogin.Events", "OnePassword.SignInAttempt", "Zendesk.Audit", "Zoom.Activity"], "YAMLPath": "rules/standard_rules/sign_in_from_rogue_state.yml"}, {"AnalysisType": "Rule", "Description": "Passthrough for anomalies detected by Slack", "DisplayName": "Slack Anomaly Detected", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_passthrough_anomaly.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack App has had its permission scopes expanded", "DisplayName": "Slack App Access Expanded", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_app_access_expanded.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack App has been added to a workspace", "DisplayName": "Slack App Added", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_app_added.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack App has been removed", "DisplayName": "Slack App Removed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_app_removed.yml"}, {"AnalysisType": "Rule", "Description": "Detects when slack admin invalidates user session(s). If it happens more than once in a 24 hour period it can lead to DoS", "DisplayName": "Slack Denial of Service", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_application_dos.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Data Loss Prevention (DLP) rule has been deactivated or a violation has been deleted", "DisplayName": "Slack DLP Modified", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_dlp_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects when the logging settings for a workspace's EKM configuration has changed", "DisplayName": "Slack EKM Config Changed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_ekm_config_changed.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a workspace is longer enrolled in EKM", "DisplayName": "Slack EKM Slackbot Unenrolled", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_ekm_slackbot_unenrolled.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a workspace is no longer enrolled or managed by EKM", "DisplayName": "Slack EKM Unenrolled", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_ekm_unenrolled.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to the identity provider (IdP) configuration for Slack organizations.", "DisplayName": "Slack IDP Configuration Changed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_idp_configuration_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack information barrier is deleted/updated", "DisplayName": "Slack Information Barrier Modified", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_information_barrier_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects the disabling of Microsoft Intune Enterprise MDM within Slack", "DisplayName": "Slack Intune MDM Disabled", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_intune_mdm_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to configured legal hold policies", "DisplayName": "Slack Legal Hold Policy Modified", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_legal_hold_policy_modified.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to Multi-Factor Authentication requirements", "DisplayName": "Slack MFA Settings Changed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_mfa_settings_changed.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack organization is created", "DisplayName": "Slack Organization Created", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_org_created.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack organization is deleted", "DisplayName": "Slack Organization Deleted", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_org_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a potentially malicious file is shared within Slack", "DisplayName": "Slack Potentially Malicious File Shared", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_potentially_malicious_file_shared.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a channel that was previously private is made public", "DisplayName": "Slack Private Channel Made Public", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_private_channel_made_public.yml"}, {"AnalysisType": "Rule", "Description": "Detects transferring of service owner on request from primary owner", "DisplayName": "Slack Service Owner Transferred", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_service_owner_transferred.yml"}, {"AnalysisType": "Rule", "Description": "Detects changes to Single Sign On (SSO) restrictions", "DisplayName": "Slack SSO Settings Changed", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_sso_settings_changed.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack user gains escalated privileges", "DisplayName": "Slack User Privilege Escalation", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_user_privilege_escalation.yml"}, {"AnalysisType": "Rule", "Description": "Detects when a Slack account is changed to User from an elevated role.", "DisplayName": "Slack User Privileges Changed to User", "LogTypes": ["Slack.AuditLogs"], "YAMLPath": "rules/slack_rules/slack_privilege_changed_to_user.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect when account admin is granted.", "DisplayName": "Snowflake Account Admin Granted", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_account_admin_assigned.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect brute force attacks by monitoring for failed logins from the same IP address", "DisplayName": "Snowflake Brute Force Attacks by IP", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_brute_force_ip.yml"}, {"AnalysisType": "Rule", "Description": "Detect brute force attacks by monitorign failed logins from the same IP address", "DisplayName": "Snowflake Brute Force Attacks by User", "LogTypes": ["Snowflake.LoginHistory"], "YAMLPath": "rules/snowflake_rules/snowflake_stream_brute_force_by_username.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect brute force attacks by monitoring for failed logins by the same username", "DisplayName": "Snowflake Brute Force Attacks by Username", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_brute_force_username.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Detecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login.", "DisplayName": "Snowflake Brute Force Login Success", "LogTypes": ["Snowflake.LoginHistory"], "YAMLPath": "correlation_rules/snowflake_potential_brute_force_success.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Monitor for malicious IPs interacting with Snowflake as part of ongoing cyber threat activity reported May 31st, 2024", "DisplayName": "Snowflake Client IP", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_0108977_ip.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Monitor for configuration drift made by malicious actors as part of ongoing cyber threat activity reported May 31st, 2024", "DisplayName": "Snowflake Configuration Drift", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_0108977_configuration_drift.yml"}, {"AnalysisType": "Correlation Rule", "Description": "In April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim\u2019s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization\u2019s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer\u2019s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled.", "DisplayName": "Snowflake Data Exfiltration", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "correlation_rules/snowflake_data_exfiltration.yml"}, {"AnalysisType": "Rule", "Description": "Detect when an external share has been initiated from one source cloud to another target cloud.", "DisplayName": "Snowflake External Data Share", "LogTypes": ["Snowflake.DataTransferHistory"], "YAMLPath": "rules/snowflake_rules/snowflake_stream_external_shares.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect when an external share has been initiated from one source cloud to another target cloud.", "DisplayName": "Snowflake External Share", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_external_shares.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "A file was downloaded from a stage", "DisplayName": "Snowflake File Downloaded", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_file_downloaded_signal.yml"}, {"AnalysisType": "Rule", "Description": "Detect additional grants to the public role.", "DisplayName": "Snowflake Grant to Public Role", "LogTypes": ["Snowflake.GrantsToRoles"], "YAMLPath": "rules/snowflake_rules/snowflake_stream_public_role_grant.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect snowflake logins without multifactor authentication", "DisplayName": "Snowflake Login Without MFA", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_login_without_mfa.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detecting brute force activity and reporting when a user has incorrectly logged in multiple times and then had a successful login.", "DisplayName": "Snowflake Multiple Failed Logins Followed By Success", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_multiple_failed_logins_followed_by_success.yml"}, {"AnalysisType": "Rule", "Description": "Track successful login signals for correlation.", "DisplayName": "Snowflake Successful Login", "LogTypes": ["Snowflake.LoginHistory"], "YAMLPath": "rules/snowflake_rules/snowflake_stream_login_success.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "A table was copied into a stage", "DisplayName": "Snowflake Table Copied Into Stage", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_table_copied_into_stage_signal.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "A temporary stage was created", "DisplayName": "Snowflake Temporary Stage Created", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_temp_stage_created_signal.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Return sessions of suspected clients as part of ongoing cyber threat activity reported May 31st, 2024", "DisplayName": "Snowflake User Access", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_0109877_suspected_user_access.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect new users created in snowflake", "DisplayName": "Snowflake User Created", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_user_created.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Returns instances where a user's cumulative daily query volume is much larger than normal. Could indicate exfiltration attempts.", "DisplayName": "Snowflake User Daily Query Volume Spike", "LogTypes": ["Snowflake.QueryHistory"], "YAMLPath": "queries/snowflake_queries/snowflake_user_query_volume_spike_query.yml"}, {"AnalysisType": "Saved Query", "Description": "This query returns the most voluminous queries executed by a specific user over the past 48 hours.", "DisplayName": "Snowflake User Daily Query Volume Spike - Threat Hunting", "LogTypes": ["Panther.Audit", "Snowflake.QueryHistory"], "YAMLPath": "queries/snowflake_queries/snowflake_user_query_volume_spike_threat_hunting.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect users being re-enabled in your environment", "DisplayName": "Snowflake User Enabled", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_user_enabled.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect when a user that has key-based authentication configured logs in with a password", "DisplayName": "Snowflake user with key-based auth logged in with password auth", "LogTypes": ["Snowflake.AccountUsage"], "YAMLPath": "queries/snowflake_queries/snowflake_key_user_password_login.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk settings that lack a clear security impact are changed", "DisplayName": "Snyk Miscellaneous Settings", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_misc_settings.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Group or Organization Settings are changed.", "DisplayName": "Snyk Org or Group Settings Change", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_ou_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Organization settings, like Integrations and Webhooks, are changed", "DisplayName": "Snyk Org Settings", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_org_settings.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Project settings are changed", "DisplayName": "Snyk Project Settings", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_project_settings.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Roles are changed", "DisplayName": "Snyk Role Change", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_role_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Service Accounts are changed", "DisplayName": "Snyk Service Account Change", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_svcacct_change.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Settings that control access for external parties have been changed.", "DisplayName": "Snyk System External Access Settings Changed", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_system_externalaccess.yml"}, {"AnalysisType": "Rule", "Description": "Detects Snyk Policy Settings have been changed. Policies define Snyk's behavior when encountering security and licensing issues.", "DisplayName": "Snyk System Policy Settings Changed", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_system_policysetting.yml"}, {"AnalysisType": "Rule", "Description": "Detects Snyk SSO Settings have been changed. The reference URL from Snyk indicates that these events are likely to originate exclusively from Snyk Support.", "DisplayName": "Snyk System SSO Settings Changed", "LogTypes": ["Snyk.GroupAudit"], "YAMLPath": "rules/snyk_rules/snyk_system_sso.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Snyk Users are changed", "DisplayName": "Snyk User Management", "LogTypes": ["Snyk.GroupAudit", "Snyk.OrgAudit"], "YAMLPath": "rules/snyk_rules/snyk_user_mgmt.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Identifies when StopInstance and ModifyInstanceAttributes CloudTrail events occur in a short period of time. Since EC2 startup scripts cannot be modified without first stopping the instance, StopInstances should be a signal.", "DisplayName": "StopInstance FOLLOWED BY ModifyInstanceAttributes", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "correlation_rules/aws_cloudtrail_stopinstance_followed_by_modifyinstanceattributes.yml"}, {"AnalysisType": "Rule", "Description": "Sublime flagged some messages as suspicious.", "DisplayName": "Sublime Flagged an Email", "LogTypes": ["Sublime.MessageEvent"], "YAMLPath": "rules/sublime_rules/sublime_message_flagged.yml"}, {"AnalysisType": "Rule", "Description": "A Sublime User disabled some mailbox(es).", "DisplayName": "Sublime Mailbox Deactivated", "LogTypes": ["Sublime.Audit"], "YAMLPath": "rules/sublime_rules/sublime_mailboxes_deactivated.yml"}, {"AnalysisType": "Rule", "Description": "A Sublime User disabled or deleted some message source(s).", "DisplayName": "Sublime Message Source Deleted Or Deactivated", "LogTypes": ["Sublime.Audit"], "YAMLPath": "rules/sublime_rules/sublime_message_source_deleted_or_deactivated.yml"}, {"AnalysisType": "Rule", "Description": "A Sublime User disabled or deleted some rule(s).", "DisplayName": "Sublime Rules Deleted Or Deactivated", "LogTypes": ["Sublime.Audit"], "YAMLPath": "rules/sublime_rules/sublime_rules_deleted_or_deactivated.yml"}, {"AnalysisType": "Rule", "Description": "A suspicious cron has been added", "DisplayName": "Suspicious cron detected", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_suspicious_cron.yml"}, {"AnalysisType": "Rule", "Description": "GSuite reported a suspicious login for this user.", "DisplayName": "Suspicious GSuite Login", "LogTypes": ["GSuite.ActivityEvent"], "YAMLPath": "rules/gsuite_activityevent_rules/gsuite_suspicious_logins.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This query can be used for the detection of unusual, non-common applications and client characteristics that had been used to connect to the Snowflake account, using a comparison to the previous usage baseline.", "DisplayName": "Suspicious Snowflake Sessions - Unusual Application", "LogTypes": [], "YAMLPath": "queries/snowflake_queries/snowflake_suspicious_session_query.yml"}, {"AnalysisType": "Rule", "Description": "A Tailscale User disabled HTTPS settings in your organization's tenant.", "DisplayName": "Tailscale HTTPS Disabled", "LogTypes": ["Tailscale.Audit"], "YAMLPath": "rules/tailscale_rules/tailscale_https_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Tailscale User disabled machine approval requirement settings in your organization's tenant. This means devices can access your network without requiring approval.", "DisplayName": "Tailscale Machine Approval Requirements Disabled", "LogTypes": ["Tailscale.Audit"], "YAMLPath": "rules/tailscale_rules/tailscale_machine_approval_requirements_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Tailscale User disabled magic dns settings in your organization's tenant.", "DisplayName": "Tailscale Magic DNS Disabled", "LogTypes": ["Tailscale.Audit"], "YAMLPath": "rules/tailscale_rules/tailscale_magicdns_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A user has been manually created, modified, or deleted", "DisplayName": "Teleport Create User Accounts", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_create_user_accounts.yml"}, {"AnalysisType": "Rule", "Description": "A user has invoked a network scan that could potentially indicate enumeration of the network.", "DisplayName": "Teleport Network Scan Initiated", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_network_scanning.yml"}, {"AnalysisType": "Rule", "Description": "A user has manually edited the Linux crontab", "DisplayName": "Teleport Scheduled Jobs", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_scheduled_jobs.yml"}, {"AnalysisType": "Rule", "Description": "A high volume of SSH errors could indicate a brute-force attack", "DisplayName": "Teleport SSH Auth Errors", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_auth_errors.yml"}, {"AnalysisType": "Rule", "Description": "A user has invoked a suspicious command that could lead to a host compromise", "DisplayName": "Teleport Suspicious Commands Executed", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_suspicious_commands.yml"}, {"AnalysisType": "Rule", "Description": "A Canary has disconnected/reconnected.", "DisplayName": "Thinkst Canary DCRC", "LogTypes": ["ThinkstCanary.Alert"], "YAMLPath": "rules/thinkstcanary_rules/thinkst_canary_dcrc.yml"}, {"AnalysisType": "Rule", "Description": "A Canary incident has been detected.", "DisplayName": "Thinkst Canary Incident", "LogTypes": ["ThinkstCanary.Alert"], "YAMLPath": "rules/thinkstcanary_rules/thinkst_canary_incident.yml"}, {"AnalysisType": "Rule", "Description": "A Canarytoken incident has been detected.", "DisplayName": "Thinkst Canarytoken Incident", "LogTypes": ["ThinkstCanary.Alert"], "YAMLPath": "rules/thinkstcanary_rules/thinkst_canarytoken_incident.yml"}, {"AnalysisType": "Rule", "Description": "Detections when Tines Actions are set to Disabled Change", "DisplayName": "Tines Actions Disabled Change", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_actions_disabled_changes.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Tines Custom CertificateAuthority settings are changed", "DisplayName": "Tines Custom CertificateAuthority setting changed", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_custom_ca.yml"}, {"AnalysisType": "Rule", "Description": "Currently enqueued or retrying jobs were cleared", "DisplayName": "Tines Enqueued/Retrying Job Deletion", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_enqueued_retrying_job_deletion.yml"}, {"AnalysisType": "Rule", "Description": "A Tines user has destroyed a global resource.", "DisplayName": "Tines Global Resource Destruction", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_global_resource_destruction.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Tines SSO settings are changed", "DisplayName": "Tines SSO Settings", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_sso_settings.yml"}, {"AnalysisType": "Rule", "Description": "A user has destroyed a story item", "DisplayName": "Tines Story Items Destruction", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_story_items_destruction.yml"}, {"AnalysisType": "Rule", "Description": "A Tines User has cleared story jobs.", "DisplayName": "Tines Story Jobs Clearance", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_story_jobs_clearance.yml"}, {"AnalysisType": "Rule", "Description": "A user has destroyed a team", "DisplayName": "Tines Team Destruction", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_team_destruction.yml"}, {"AnalysisType": "Rule", "Description": "Detects when Tines Tenant API Keys are added", "DisplayName": "Tines Tenant API Keys Added", "LogTypes": ["Tines.Audit"], "YAMLPath": "rules/tines_rules/tines_tenant_authtoken.yml"}, {"AnalysisType": "Rule", "Description": "Tracebit maintains security canaries across your organization to detect potential intrusions.This alert indicates that Tracebit has detected activity on security canaries.", "DisplayName": "Tracebit Alert", "LogTypes": ["Tracebit.Alert"], "YAMLPath": "rules/tracebit_rules/tracebit_alert.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any unauthenticated kubernetes api request. Unauthenticated Requests are performed by the anonymous user and have unfederated access to the cluster.", "DisplayName": "Unauthenticated Kubernetes API Request", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_unauthenticated_api_request_query.yml"}, {"AnalysisType": "Scheduled Query", "Description": "This detection monitors for any pod execution in a kubernetes cluster. Pod execution should never be done in a production cluster, and can indicate a user performing unauthorized actions.", "DisplayName": "Unauthorized Kubernetes Pod Execution", "LogTypes": ["Amazon.EKS.Audit"], "YAMLPath": "queries/kubernetes_queries/kubernetes_unauthorized_pod_execution_query.yml"}, {"AnalysisType": "Rule", "Description": "Check that all laptops on the corporate environment are on a version of MacOS supported by IT.", "DisplayName": "Unsupported macOS version", "LogTypes": ["Osquery.Differential"], "YAMLPath": "rules/osquery_rules/osquery_outdated_macos.yml"}, {"AnalysisType": "Rule", "Description": "CloudTrail logged non-read activity from a verboten AWS region.", "DisplayName": "Unused AWS Region", "LogTypes": ["AWS.CloudTrail"], "YAMLPath": "rules/aws_cloudtrail_rules/aws_unused_region.yml"}, {"AnalysisType": "Rule", "Description": "Detects when unusual or undesirable 1Password clients access your 1Password account", "DisplayName": "Unusual 1Password Client Detected", "LogTypes": ["OnePassword.SignInAttempt"], "YAMLPath": "rules/onepassword_rules/onepassword_unusual_client.yml"}, {"AnalysisType": "Rule", "Description": "A User logged in as root", "DisplayName": "User Logged in as root", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_root_login.yml"}, {"AnalysisType": "Rule", "Description": "A local User logged in without MFA", "DisplayName": "User Logged in wihout MFA", "LogTypes": ["Gravitational.TeleportAudit"], "YAMLPath": "rules/gravitational_teleport_rules/teleport_local_user_login_without_mfa.yml"}, {"AnalysisType": "Scheduled Rule", "Description": "Detect dns tunneling traffic using a scheduled query", "DisplayName": "VPC DNS Tunneling", "LogTypes": ["AWS.VPCDns"], "YAMLPath": "queries/aws_queries/vpc_dns_tunneling.yml"}, {"AnalysisType": "Rule", "Description": "VPC Flow Logs observed inbound traffic violating the port allowlist.", "DisplayName": "VPC Flow Logs Inbound Port Allowlist", "LogTypes": ["AWS.VPCFlow", "OCSF.NetworkActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_allowlist.yml"}, {"AnalysisType": "Rule", "Description": "VPC Flow Logs observed inbound traffic violating the port blocklist.", "DisplayName": "VPC Flow Logs Inbound Port Blocklist", "LogTypes": ["AWS.VPCFlow", "OCSF.NetworkActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_vpc_inbound_traffic_port_blocklist.yml"}, {"AnalysisType": "Rule", "Description": "Alerts if outbound DNS traffic is detected to a non-approved DNS server. DNS is often used as a means to exfiltrate data or perform command and control for compromised hosts. All DNS traffic should be routed through internal DNS servers or trusted 3rd parties.", "DisplayName": "VPC Flow Logs Unapproved Outbound DNS Traffic", "LogTypes": ["AWS.VPCFlow", "OCSF.NetworkActivity"], "YAMLPath": "rules/aws_vpc_flow_rules/aws_vpc_unapproved_outbound_dns.yml"}, {"AnalysisType": "Scheduled Query", "Description": "Instances of a srcAddr communicating with multiple ports on a dstAddr could indicate port scanning activity.", "DisplayName": "VPC Flow Port Scanning", "LogTypes": ["AWS.VPCFlow"], "YAMLPath": "queries/aws_queries/anomalous_vpc_port_activity_query.yml"}, {"AnalysisType": "Rule", "Description": "This rule enriches and contextualizes security alerts generated by Wiz.", "DisplayName": "Wiz Alert Passthrough Rule", "LogTypes": ["Wiz.Issues"], "YAMLPath": "rules/wiz_rules/wiz_alert_passthrough.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of CICD scan policies.", "DisplayName": "Wiz CICD Scan Policy Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_cicd_scan_policy_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of connectors.", "DisplayName": "Wiz Connector Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_connector_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of data classifiers.", "DisplayName": "Wiz Data Classifier Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_data_classifier_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of image integrity validators.", "DisplayName": "Wiz Image Integrity Validator Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_image_integrity_validator_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of Wiz integrations.", "DisplayName": "Wiz Integration Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_integration_updated_or_deleted.yml"}, {"AnalysisType": "Correlation Rule", "Description": "Wiz detected a security issue with an EC2 instance followed by an SSH connection to the instance. This sequence could indicate a potential security breach.", "DisplayName": "Wiz Issue Followed By SSH to EC2 Instance", "LogTypes": ["AWS.VPCFlow", "Wiz.Issues"], "YAMLPath": "correlation_rules/wiz_issue_followed_by_ssh.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects user sessions revoked.", "DisplayName": "Wiz Revoke User Sessions", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_revoke_user_sessions.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects service account secrets rotations.", "DisplayName": "Wiz Rotate Service Account Secret", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_rotate_service_account_secret.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations, updates and deletions of Wiz rules.", "DisplayName": "Wiz Rule Change", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_rule_change.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations, updates and deletions of SAML identity providers.", "DisplayName": "Wiz SAML Identity Provider Change", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_saml_identity_provider_change.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations, updates and deletions of service accounts.", "DisplayName": "Wiz Service Account Change", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_service_account_change.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates of IP restrictions.", "DisplayName": "Wiz Update IP Restrictions", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_update_ip_restrictions.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates of Wiz login settings.", "DisplayName": "Wiz Update Login Settings", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_update_login_settings.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates of Wiz scanner settings.", "DisplayName": "Wiz Update Scanner Settings", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_update_scanner_settings.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates of Wiz support contact list.", "DisplayName": "Wiz Update Support Contact List", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_update_support_contact_list.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects creations and deletions of Wiz users.", "DisplayName": "Wiz User Created Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_user_created_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects updates and deletions of Wiz user roles.", "DisplayName": "Wiz User Role Updated Or Deleted", "LogTypes": ["Wiz.Audit"], "YAMLPath": "rules/wiz_rules/wiz_user_role_updated_or_deleted.yml"}, {"AnalysisType": "Rule", "Description": "Only one admin user can be the account owner. Ensure the change in ownership is expected.", "DisplayName": "Zendesk Account Owner Changed", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_new_owner.yml"}, {"AnalysisType": "Rule", "Description": "A user created a new API token to be used with Zendesk.", "DisplayName": "Zendesk API Token Created", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_new_api_token.yml"}, {"AnalysisType": "Rule", "Description": "A user updated account setting that disabled credit card redaction.", "DisplayName": "Zendesk Credit Card Redaction Off", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_sensitive_data_redaction.yml"}, {"AnalysisType": "Rule", "Description": "A user updated account setting that enabled or disabled mobile app access.", "DisplayName": "Zendesk Mobile App Access Modified", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_mobile_app_access.yml"}, {"AnalysisType": "Rule", "Description": "A user's Zendesk role was changed", "DisplayName": "Zendesk User Role Changed", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_user_role.yml"}, {"AnalysisType": "Rule", "Description": "A user's Zendesk suspension status was changed.", "DisplayName": "Zendesk User Suspension Status Changed", "LogTypes": ["Zendesk.Audit"], "YAMLPath": "rules/zendesk_rules/zendesk_user_suspension.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when admin user/role was deleted.", "DisplayName": "ZIA Account Access Removed", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_account_access_removal.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when an additional cloud role was created.", "DisplayName": "ZIA Additional Cloud Roles", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_additional_cloud_roles.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when ZIA backup data was deleted.", "DisplayName": "ZIA Backup Deleted", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_backup_deleted.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when new cloud account was created.", "DisplayName": "ZIA Cloud Account Created", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_create_cloud_account.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when ZIA goldenRestorePoint was dropped. It means that some piece of information that was impossible to delete before, now is deletable", "DisplayName": "ZIA Golden Restore Point Dropped", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_golden_restore_point_dropped.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when password settings are insecure.", "DisplayName": "ZIA Insecure Password Settings", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_insecure_password_settings.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when ZIA log streaming was disabled.", "DisplayName": "ZIA Log Streaming Disabled", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_log_streaming_disabled.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when ZIA Audit Logs were downloaded.", "DisplayName": "ZIA Logs Downloaded", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_logs_downloaded.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when password expiration eas set/removed.", "DisplayName": "ZIA Password Expiration", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_password_expiration.yml"}, {"AnalysisType": "Rule", "Description": "This rule detects when SAML authentication was enabled/disabled.", "DisplayName": "ZIA Trust Modification", "LogTypes": ["Zscaler.ZIA.AdminAuditLog"], "YAMLPath": "rules/zscaler_rules/zia/zia_trust_modification.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User turned off your organization's requirement that all meetings are secured with one security option.", "DisplayName": "Zoom All Meetings Secured With One Option Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_all_meetings_secured_with_one_option_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User turned off your organization's setting to automatically sign users out after a specified period of time.", "DisplayName": "Zoom Automatic Sign Out Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_automatic_sign_out_disabled.yml"}, {"AnalysisType": "Rule", "Description": "Meeting passcode requirement has been disabled from usergroup", "DisplayName": "Zoom Meeting Passcode Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_operation_passcode_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User turned off your organization's setting to require passcodes for new meetings.", "DisplayName": "Zoom New Meeting Passcode Required Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_new_meeting_passcode_required_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User modified your organizations sign in method.", "DisplayName": "Zoom Sign In Method Modified", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_sign_in_method_modified.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User changed your organization's sign in requirements.", "DisplayName": "Zoom Sign In Requirements Changed", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_sign_in_requirements_changed.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom User disabled your organization's setting to sign in with Two-Factor Authentication.", "DisplayName": "Zoom Two Factor Authentication Disabled", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_two_factor_authentication_disabled.yml"}, {"AnalysisType": "Rule", "Description": "A Zoom user was promoted to a privileged role.", "DisplayName": "Zoom User Promoted to Privileged Role", "LogTypes": ["Zoom.Operation"], "YAMLPath": "rules/zoom_operation_rules/zoom_user_promoted_to_privileged_role.yml"}] \ No newline at end of file diff --git a/rules/microsoft_rules/microsoft_exchange_external_forwarding.py b/rules/microsoft_rules/microsoft_exchange_external_forwarding.py index 37cfa5852..6e5e1e823 100644 --- a/rules/microsoft_rules/microsoft_exchange_external_forwarding.py +++ b/rules/microsoft_rules/microsoft_exchange_external_forwarding.py @@ -1,31 +1,81 @@ -from panther_config import config +from panther_msft_helpers import is_external_address, m365_alert_context + +FORWARDING_PARAMETERS = { + "ForwardingSmtpAddress", + "ForwardTo", + "ForwardingAddress", + "RedirectTo", + "ForwardAsAttachmentTo", +} + +SUSPICIOUS_PATTERNS = { + "DeliverToMailboxAndForward": "False", # Only forward, don't keep copy + "DeleteMessage": "True", # Delete after forwarding + "StopProcessingRules": "True", # Stop processing other rules +} def rule(event): - if event.get("operation", "") in ("Set-Mailbox", "New-InboxRule"): - for param in event.get("parameters", []): - if param.get("Name", "") in ("ForwardingSmtpAddress", "ForwardTo", "ForwardingAddress"): - to_email = param.get("Value", "") - if ( - to_email.lower().replace("smtp:", "") - in config.MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS - ): - return False - for domain in config.MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS: - if to_email.lower().replace("smtp:", "").endswith(domain): - return False + """Alert on suspicious or external email forwarding configurations.""" + # Skip non-forwarding related operations + if event.get("operation") not in ("Set-Mailbox", "New-InboxRule"): + return False + + # Get organization domains from userid and organizationname + onmicrosoft_domain = event.get("organizationname", "").lower() + userid = event.get("userid", "").lower() + try: + primary_domain = userid.split("@")[1] + except (IndexError, AttributeError): + primary_domain = onmicrosoft_domain if onmicrosoft_domain else None + + if not primary_domain: + return True # Alert if we can't determine organization + + # Check each parameter + for param in event.get("parameters", []): + param_name = param.get("Name", "") + param_value = param.get("Value", "") + + # Check for suspicious patterns + if param_name in SUSPICIOUS_PATTERNS and param_value == SUSPICIOUS_PATTERNS[param_name]: + return True + + # Check for external forwarding + if param_name in FORWARDING_PARAMETERS and param_value: + if is_external_address(param_value, primary_domain, onmicrosoft_domain): return True + return False def title(event): - to_email = "" - for param in event.get("parameters", []): - if param.get("Name", "") in ("ForwardingSmtpAddress", "ForwardTo"): - to_email = param.get("Value", "") - break + parameters = event.get("parameters", []) + forwarding_addresses = [] + suspicious_configs = [] + + for param in parameters: + param_name = param.get("Name", "") + param_value = param.get("Value", "") + + if param_name in FORWARDING_PARAMETERS and param_value: + # Handle smtp: prefix + if param_value.lower().startswith("smtp:"): + param_value = param_value[5:] + # Handle multiple addresses + addresses = param_value.split(";") + forwarding_addresses.extend(addr.strip() for addr in addresses if addr.strip()) + if param_name in SUSPICIOUS_PATTERNS and param_value == SUSPICIOUS_PATTERNS[param_name]: + suspicious_configs.append(f"{param_name}={param_value}") + + to_emails = ", ".join(forwarding_addresses) if forwarding_addresses else "" + suspicious_str = f" [Suspicious: {', '.join(suspicious_configs)}]" if suspicious_configs else "" + return ( - "Microsoft365: External Forwarding Created From " - f"[{event.get('userid', '')}] to " - f"[{to_email}]" + f"Microsoft365: External Forwarding Created From [{event.get('userid', '')}] " + f"to [{to_emails}]{suspicious_str}" ) + + +def alert_context(event): + return m365_alert_context(event) diff --git a/rules/microsoft_rules/microsoft_exchange_external_forwarding.yml b/rules/microsoft_rules/microsoft_exchange_external_forwarding.yml index bef828c87..ca9818b6a 100644 --- a/rules/microsoft_rules/microsoft_exchange_external_forwarding.yml +++ b/rules/microsoft_rules/microsoft_exchange_external_forwarding.yml @@ -1,15 +1,57 @@ AnalysisType: rule -Description: Detects creation of forwarding rule to external domains +Description: > + Detects when a user creates email forwarding rules to external organizations in Microsoft Exchange Online. + This can indicate data exfiltration attempts, where an attacker sets up forwarding to collect emails outside + the organization. The rule detects both mailbox forwarding (Set-Mailbox) and inbox rules (New-InboxRule). + + The detection includes: + 1. External organization forwarding based on domain comparison + 2. Suspicious forwarding patterns like: + - Forwarding without keeping a copy + - Deleting messages after forwarding + - Stopping rule processing after forwarding + 3. Multiple forwarding destinations + 4. Various forwarding methods (SMTP, redirect, forward as attachment) DisplayName: "Microsoft Exchange External Forwarding" Enabled: true Filename: microsoft_exchange_external_forwarding.py Reports: MITRE ATT&CK: - - TA0009:T1114 # Collection - Email Collection + - TA0003:T1137.005 # Persistence - Office Application Startup: Outlook Rules + - TA0009:T1114.003 # Collection - Email Collection: Email Forwarding Rule + - TA0010:T1020 # Exfiltration - Automated Exfiltration Reference: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide Severity: High +Tags: + - Microsoft365 + - Exchange + - Data Exfiltration + - Email Security +DedupPeriodMinutes: 60 +LogTypes: + - Microsoft365.Audit.Exchange +RuleID: "Microsoft365.Exchange.External.Forwarding" +Threshold: 1 +SummaryAttributes: + - userid + - parameters + - organizationname +Runbook: > + 1. Investigate the forwarding configuration: + - Check if the forwarding is legitimate and approved + - Verify the destination addresses + - Review any suspicious patterns (deletion, no copy kept) + 2. If unauthorized: + - Remove the forwarding rule + - Check for any data that may have been forwarded + - Review the user's recent activity + 3. If authorized: + - Document the business justification + - Ensure it complies with security policies + - Monitor for any changes to the forwarding configuration Tests: - - ExpectedResult: true + - Name: External Organization Forwarding + ExpectedResult: true Log: clientip: 1.2.3.4 creationtime: "2022-12-12 22:19:00" @@ -22,9 +64,9 @@ Tests: originatingserver: QWERTY (1.2.3.4) parameters: - Name: Identity - Value: ABC1.prod.outlook.com/Microsoft Exchange Hosted Organizations/simpsons.onmicrosoft.com/homer.simpson + Value: homer.simpson@simpsons.onmicrosoft.com - Name: ForwardingSmtpAddress - Value: smtp:hello@familyguy.com + Value: smtp:peter.griffin@familyguy.com - Name: DeliverToMailboxAndForward Value: "False" recordtype: 1 @@ -33,37 +75,35 @@ Tests: userkey: "12345" usertype: 2 workload: Exchange - Name: Forwarding Enabled - - ExpectedResult: true + + - Name: Internal Organization Forwarding + ExpectedResult: false Log: clientip: 1.2.3.4 creationtime: "2022-12-12 22:19:00" externalaccess: false id: 111-22-33 objectid: homer.simpson - operation: New-InboxRule + operation: Set-Mailbox organizationid: 11-aa-bb organizationname: simpsons.onmicrosoft.com originatingserver: QWERTY (1.2.3.4) parameters: - - Name: AlwaysDeleteOutlookRulesBlob - Value: "False" - - Name: Force - Value: "False" - - Name: ForwardTo - Value: hello@familyguy.com - - Name: Name - Value: test forwarding - - Name: StopProcessingRules + - Name: Identity + Value: marge.simpson@simpsons.onmicrosoft.com + - Name: ForwardingSmtpAddress + Value: smtp:marge.simpson@simpsons.com + - Name: DeliverToMailboxAndForward Value: "True" recordtype: 1 resultstatus: "True" - userid: homer.simpson@simpsons.onmicrosoft.com + userid: homer.simpson@simpsons.com userkey: "12345" usertype: 2 workload: Exchange - Name: Forwarding Rule - - ExpectedResult: false + + - Name: Suspicious Forwarding Pattern + ExpectedResult: true Log: clientip: 1.2.3.4 creationtime: "2022-12-12 22:19:00" @@ -75,14 +115,14 @@ Tests: organizationname: simpsons.onmicrosoft.com originatingserver: QWERTY (1.2.3.4) parameters: - - Name: AlwaysDeleteOutlookRulesBlob - Value: "False" - - Name: Force - Value: "False" + - Name: Identity + Value: "Delete and Forward Rule" + - Name: Mailbox + Value: homer.simpson@simpsons.onmicrosoft.com - Name: ForwardTo - Value: hello@example.com - - Name: Name - Value: test forwarding + Value: external@example.com + - Name: DeleteMessage + Value: "True" - Name: StopProcessingRules Value: "True" recordtype: 1 @@ -91,8 +131,9 @@ Tests: userkey: "12345" usertype: 2 workload: Exchange - Name: Forwarding Rule to Allowed Domain - - ExpectedResult: false + + - Name: Multiple Forwarding Addresses + ExpectedResult: true Log: clientip: 1.2.3.4 creationtime: "2022-12-12 22:19:00" @@ -104,24 +145,23 @@ Tests: organizationname: simpsons.onmicrosoft.com originatingserver: QWERTY (1.2.3.4) parameters: - - Name: AlwaysDeleteOutlookRulesBlob - Value: "False" - - Name: Force - Value: "False" + - Name: Identity + Value: "Multiple Forward Rule" + - Name: Mailbox + Value: homer.simpson@simpsons.onmicrosoft.com - Name: ForwardTo - Value: postmaster@example.com - - Name: Name - Value: test forwarding - - Name: StopProcessingRules - Value: "True" + Value: "external1@example.com;external2@example.com;external3@example.com" + - Name: DeliverToMailboxAndForward + Value: "False" recordtype: 1 resultstatus: "True" userid: homer.simpson@simpsons.onmicrosoft.com userkey: "12345" usertype: 2 workload: Exchange - Name: Forwarding Rule to Exception - - ExpectedResult: false + + - Name: Invalid Identity Format + ExpectedResult: true Log: clientip: 1.2.3.4 creationtime: "2022-12-12 22:19:00" @@ -134,9 +174,9 @@ Tests: originatingserver: QWERTY (1.2.3.4) parameters: - Name: Identity - Value: ABC1.prod.outlook.com/Microsoft Exchange Hosted Organizations/simpsons.onmicrosoft.com/homer.simpson + Value: Invalid/Path/Format - Name: ForwardingSmtpAddress - Value: smtp:hello@example.com + Value: smtp:hello@familyguy.com - Name: DeliverToMailboxAndForward Value: "False" recordtype: 1 @@ -145,8 +185,9 @@ Tests: userkey: "12345" usertype: 2 workload: Exchange - Name: Forwarding To Allowed Domain - - ExpectedResult: false + + - Name: Missing Organization Name + ExpectedResult: true Log: clientip: 1.2.3.4 creationtime: "2022-12-12 22:19:00" @@ -155,13 +196,13 @@ Tests: objectid: homer.simpson operation: Set-Mailbox organizationid: 11-aa-bb - organizationname: simpsons.onmicrosoft.com + organizationname: "" originatingserver: QWERTY (1.2.3.4) parameters: - Name: Identity Value: ABC1.prod.outlook.com/Microsoft Exchange Hosted Organizations/simpsons.onmicrosoft.com/homer.simpson - Name: ForwardingSmtpAddress - Value: smtp:postmaster@example.com + Value: smtp:hello@familyguy.com - Name: DeliverToMailboxAndForward Value: "False" recordtype: 1 @@ -170,40 +211,81 @@ Tests: userkey: "12345" usertype: 2 workload: Exchange - Name: Forwarding to Exception - - ExpectedResult: true + + - Name: Subdomain Forwarding (Internal) + ExpectedResult: false Log: - { - "AppAccessContext": {}, - "ClientIP": "20.185.225.251:6688", - "CreationTime": "2023-10-24 13:06:33.000000000", - "ExternalAccess": false, - "Id": "78ab3f60-bd49-42e5-e69d-08dbd4920c3d", - "ObjectId": "28eb696a-03f7-47bd-a07a-b09d5f6e592e", - "Operation": "Set-Mailbox", - "OrganizationId": "18360841-3f87-44a6-8c9a-3ffc680611a0", - "OrganizationName": "fellowship.lotr.com", - "OriginatingServer": "AM6PR0402MB3448 (15.20.6933.008)", - "Parameters": - [ - { - "Name": "Identity", - "Value": "28eb696a-03f7-47bd-a07a-b09d5f6e592e", - }, - { "Name": "ForwardingAddress", "Value": "sauron@mordor.dev" }, - { "Name": "ForwardingSmtpAddress", "Value": "" }, - { "Name": "DeliverToMailboxAndForward", "Value": "False" }, - ], - "RecordType": 1, - "ResultStatus": "True", - "UserId": "saurman@lotr.com", - "UserKey": "10032002CD6B7EFD", - "UserType": 2, - "Workload": "Exchange", - } - Name: Log with ForwardingAddress -DedupPeriodMinutes: 60 -LogTypes: - - Microsoft365.Audit.Exchange -RuleID: "Microsoft365.Exchange.External.Forwarding" -Threshold: 1 + clientip: 1.2.3.4 + creationtime: "2022-12-12 22:19:00" + externalaccess: false + id: 111-22-33 + objectid: homer.simpson + operation: Set-Mailbox + organizationid: 11-aa-bb + organizationname: simpsons.onmicrosoft.com + originatingserver: QWERTY (1.2.3.4) + parameters: + - Name: Identity + Value: homer.simpson@simpsons.onmicrosoft.com + - Name: ForwardingSmtpAddress + Value: smtp:bart.simpson@springfield.simpsons.com + - Name: DeliverToMailboxAndForward + Value: "True" + recordtype: 1 + resultstatus: "True" + userid: homer.simpson@simpsons.com + userkey: "12345" + usertype: 2 + workload: Exchange + + - Name: Similar Domain Forwarding (External) + ExpectedResult: true + Log: + clientip: 1.2.3.4 + creationtime: "2022-12-12 22:19:00" + externalaccess: false + id: 111-22-33 + objectid: homer.simpson + operation: Set-Mailbox + organizationid: 11-aa-bb + organizationname: simpsons.onmicrosoft.com + originatingserver: QWERTY (1.2.3.4) + parameters: + - Name: Identity + Value: homer.simpson@simpsons.onmicrosoft.com + - Name: ForwardingSmtpAddress + Value: smtp:evil@simpsons2.com + - Name: DeliverToMailboxAndForward + Value: "True" + recordtype: 1 + resultstatus: "True" + userid: homer.simpson@simpsons.com + userkey: "12345" + usertype: 2 + workload: Exchange + + - Name: Non-Com TLD Organization + ExpectedResult: false + Log: + clientip: 1.2.3.4 + creationtime: "2022-12-12 22:19:00" + externalaccess: false + id: 111-22-33 + objectid: homer.simpson + operation: Set-Mailbox + organizationid: 11-aa-bb + organizationname: simpsons.onmicrosoft.com + originatingserver: QWERTY (1.2.3.4) + parameters: + - Name: Identity + Value: homer.simpson@simpsons.org + - Name: ForwardingSmtpAddress + Value: smtp:marge.simpson@simpsons.org + - Name: DeliverToMailboxAndForward + Value: "True" + recordtype: 1 + resultstatus: "True" + userid: homer.simpson@simpsons.org + userkey: "12345" + usertype: 2 + workload: Exchange