Merge pull request #520 from splunk/security_hub_response

Security hub response
splunk · Jun 25, 2020 · 0506f93 · 0506f93
2 parents 0cf88ff + 836c123
commit 0506f93
Show file tree

Hide file tree

Showing 27 changed files with 73 additions and 0 deletions.
diff --git a/detections/abnormally_high_aws_instances_launched_by_user.yml b/detections/abnormally_high_aws_instances_launched_by_user.yml
@@ -28,6 +28,8 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 13
   nist:

diff --git a/detections/abnormally_high_aws_instances_launched_by_user___mltk.yml b/detections/abnormally_high_aws_instances_launched_by_user___mltk.yml
@@ -24,6 +24,8 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 13
   nist:

diff --git a/detections/abnormally_high_aws_instances_terminated_by_user.yml b/detections/abnormally_high_aws_instances_terminated_by_user.yml
@@ -28,6 +28,8 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 13
   nist:

diff --git a/detections/abnormally_high_aws_instances_terminated_by_user___mltk.yml b/detections/abnormally_high_aws_instances_terminated_by_user___mltk.yml
@@ -23,6 +23,8 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 13
   nist:

diff --git a/detections/aws_cloud_provisioning_from_previously_unseen_city.yml b/detections/aws_cloud_provisioning_from_previously_unseen_city.yml
@@ -37,6 +37,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
 tags:
   analytics_story:
   - AWS Suspicious Provisioning Activities
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 1
   nist:

diff --git a/detections/aws_cloud_provisioning_from_previously_unseen_country.yml b/detections/aws_cloud_provisioning_from_previously_unseen_country.yml
@@ -38,6 +38,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
 tags:
   analytics_story:
   - AWS Suspicious Provisioning Activities
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 1
   nist:

diff --git a/detections/aws_cloud_provisioning_from_previously_unseen_region.yml b/detections/aws_cloud_provisioning_from_previously_unseen_region.yml
@@ -37,6 +37,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal
 tags:
   analytics_story:
   - AWS Suspicious Provisioning Activities
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 1
   nist:

diff --git a/detections/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/aws_cross_account_activity_from_previously_unseen_account.yml
@@ -34,6 +34,8 @@ tags:
   - AWS Cross Account Activity
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 16
   nist:

diff --git a/detections/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud_compute_instance_created_by_previously_unseen_user.yml
@@ -28,6 +28,8 @@ tags:
   - Cloud Cryptomining
   cis20:
   - CIS 1
+  mitre_attack_id:
+  - T1078
   nist:
   - ID.AM
   security_domain: endpoint

diff --git a/detections/cloud_compute_instance_started_in_previously_unused_region.yml b/detections/cloud_compute_instance_started_in_previously_unused_region.yml
@@ -29,6 +29,8 @@ tags:
   - Cloud Cryptomining
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 12
   nist:

diff --git a/detections/detect_aws_api_activities_from_unapproved_accounts.yml b/detections/detect_aws_api_activities_from_unapproved_accounts.yml
@@ -51,6 +51,8 @@ tags:
   - Actions on Objectives
   cis20:
   - CIS 16
+  mitre_attack_id:
+  - T1078
   nist:
   - DE.DP
   - DE.CM

diff --git a/detections/detect_aws_console_login_by_user_from_new_city.yml b/detections/detect_aws_console_login_by_user_from_new_city.yml
@@ -33,6 +33,8 @@ tags:
   - Suspicious Cloud Authentication Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 16
   nist:

diff --git a/detections/detect_aws_console_login_by_user_from_new_country.yml b/detections/detect_aws_console_login_by_user_from_new_country.yml
@@ -33,6 +33,8 @@ tags:
   - Suspicious Cloud Authentication Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 16
   nist:

diff --git a/detections/detect_aws_console_login_by_user_from_new_region.yml b/detections/detect_aws_console_login_by_user_from_new_region.yml
@@ -33,6 +33,8 @@ tags:
   - Suspicious Cloud Authentication Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1535
   cis20:
   - CIS 16
   nist:

diff --git a/detections/detect_new_api_calls_from_user_roles.yml b/detections/detect_new_api_calls_from_user_roles.yml
@@ -28,6 +28,9 @@ known_false_positives: It is possible that there are legitimate user roles makin
 tags:
   analytics_story:
   - AWS User Monitoring
+  mitre_attack_id:
+  - T1078
+  - T1098
   cis20:
   - CIS 1
   nist:

diff --git a/detections/detect_new_open_s3_buckets.yml b/detections/detect_new_open_s3_buckets.yml
@@ -25,6 +25,8 @@ tags:
   - Suspicious AWS S3 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1530
   cis20:
   - CIS 13
   nist:

diff --git a/detections/detect_new_user_aws_console_login.yml b/detections/detect_new_user_aws_console_login.yml
@@ -29,6 +29,8 @@ tags:
   - Suspicious AWS Login Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 16
   nist:

diff --git a/detections/detect_s3_access_from_a_new_ip.yml b/detections/detect_s3_access_from_a_new_ip.yml
@@ -28,6 +28,8 @@ tags:
   - Suspicious AWS S3 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1530
   cis20:
   - CIS 13
   - CIS 14

diff --git a/detections/detect_spike_in_aws_api_activity.yml b/detections/detect_spike_in_aws_api_activity.yml
@@ -54,6 +54,8 @@ tags:
   - AWS User Monitoring
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 16
   nist:

diff --git a/detections/detect_spike_in_s3_bucket_deletion.yml b/detections/detect_spike_in_s3_bucket_deletion.yml
@@ -36,6 +36,8 @@ known_false_positives: Based on the values of`dataPointThreshold` and `deviation
 tags:
   analytics_story:
   - Suspicious AWS S3 Activities
+  mitre_attack_id:
+  - T1530
   kill_chain_phases:
   - Actions on Objectives
   cis20:

diff --git a/detections/detect_spike_in_security_group_activity.yml b/detections/detect_spike_in_security_group_activity.yml
@@ -39,6 +39,8 @@ tags:
   - AWS User Monitoring
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 16
   nist:

diff --git a/detections/ec2_instance_modified_with_previously_unseen_user.yml b/detections/ec2_instance_modified_with_previously_unseen_user.yml
@@ -26,6 +26,8 @@ known_false_positives: It's possible that a new user will start to modify EC2 in
 tags:
   analytics_story:
   - Unusual AWS EC2 Modifications
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 1
   nist:

diff --git a/detections/ec2_instance_started_in_previously_unseen_region.yml b/detections/ec2_instance_started_in_previously_unseen_region.yml
@@ -27,6 +27,9 @@ tags:
   - Suspicious AWS EC2 Activities
   kill_chain_phases:
   - Actions on Objectives
+  mitre_attack_id:
+  - T1078
+  - T1535
   cis20:
   - CIS 12
   nist:

diff --git a/detections/ec2_instance_started_with_previously_unseen_user.yml b/detections/ec2_instance_started_with_previously_unseen_user.yml
@@ -27,6 +27,8 @@ tags:
   analytics_story:
   - AWS Cryptomining
   - Suspicious AWS EC2 Activities
+  mitre_attack_id:
+  - T1078
   cis20:
   - CIS 1
   nist:

diff --git a/detections/gcp_gcr_container_uploaded.yml b/detections/gcp_gcr_container_uploaded.yml
@@ -25,3 +25,5 @@ tags:
   - Container Implantation Monitoring and Investigation
   security_domain: threat
   asset_type: GCP GCR Container
+  mitre_attack_id:
+  - T1525
diff --git a/detections/new_container_uploaded_to_aws_ecr.yml b/detections/new_container_uploaded_to_aws_ecr.yml
@@ -24,3 +24,5 @@ tags:
   - Container Implantation Monitoring and Investigation
   security_domain: threat
   asset_type: AWS ECR container
+  mitre_attack_id:
+  - T1525
diff --git a/response_tasks/aws_investigate_security_hub_alerts_by_dest.yml b/response_tasks/aws_investigate_security_hub_alerts_by_dest.yml
@@ -0,0 +1,19 @@
+name: AWS Investigate Security Hub alerts by dest
+id: b0d2e6a8-75fa-4b1b-9486-3d32acadf822
+version: 1
+date: '2020-06-08'
+description: This search retrieves the all the alerts created by AWS Security Hub for a specific dest(instance_id). 
+how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
+  and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail
+  inputs.
+author: Bhavin Patel, Splunk
+inputs:
+- dest
+search: 'sourcetype="aws:securityhub:firehose" "findings{}.Resources{}.Type"=AWSEC2Instance 
+| rex field=findings{}.Resources{}.Id .*instance/(?<instance>.*) | search instance = $dest$ |rename findings{}.* as * | rename Remediation.Recommendation.Text as Remediation |  table instance Title ProductArn Description FirstObservedAt RecordState Remediation'
+tags:
+  analytics_story:
+  - Cloud Compute Instance
+  - Cloud Cryptomining
+  - Suspicious AWS EC2 Activities
+  - AWS Suspicious Provisioning Activities