From 24c1d452ce7c401df7b13bb5c6932db138dcb5c2 Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 10 Jun 2020 16:12:50 -0700 Subject: [PATCH 1/9] updating mitre id and adding response tasks for securityhub events --- ...d_provisioning_from_previously_unseen_city.yml | 2 ++ ...rovisioning_from_previously_unseen_country.yml | 2 ++ ...provisioning_from_previously_unseen_region.yml | 2 ++ ...stance_started_in_previously_unused_region.yml | 2 ++ ...stigate_security_hub_alerts_by_instance_id.yml | 15 +++++++++++++++ 5 files changed, 23 insertions(+) create mode 100644 response_tasks/aws_investigate_security_hub_alerts_by_instance_id.yml diff --git a/detections/aws_cloud_provisioning_from_previously_unseen_city.yml b/detections/aws_cloud_provisioning_from_previously_unseen_city.yml index a128e3fb3b..3957b21928 100644 --- a/detections/aws_cloud_provisioning_from_previously_unseen_city.yml +++ b/detections/aws_cloud_provisioning_from_previously_unseen_city.yml @@ -37,6 +37,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal tags: analytics_story: - AWS Suspicious Provisioning Activities + mitre_attack_id: + - T1535 cis20: - CIS 1 nist: diff --git a/detections/aws_cloud_provisioning_from_previously_unseen_country.yml b/detections/aws_cloud_provisioning_from_previously_unseen_country.yml index 2aba2f4827..af6e8dde55 100644 --- a/detections/aws_cloud_provisioning_from_previously_unseen_country.yml +++ b/detections/aws_cloud_provisioning_from_previously_unseen_country.yml @@ -38,6 +38,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal tags: analytics_story: - AWS Suspicious Provisioning Activities + mitre_attack_id: + - T1535 cis20: - CIS 1 nist: diff --git a/detections/aws_cloud_provisioning_from_previously_unseen_region.yml b/detections/aws_cloud_provisioning_from_previously_unseen_region.yml index 4ae3c4aa77..3ea3a788df 100644 --- a/detections/aws_cloud_provisioning_from_previously_unseen_region.yml +++ b/detections/aws_cloud_provisioning_from_previously_unseen_region.yml @@ -37,6 +37,8 @@ known_false_positives: "This is a strictly behavioral search, so we define \"fal tags: analytics_story: - AWS Suspicious Provisioning Activities + mitre_attack_id: + - T1535 cis20: - CIS 1 nist: diff --git a/detections/cloud_compute_instance_started_in_previously_unused_region.yml b/detections/cloud_compute_instance_started_in_previously_unused_region.yml index f1e972da8a..af26d3c450 100644 --- a/detections/cloud_compute_instance_started_in_previously_unused_region.yml +++ b/detections/cloud_compute_instance_started_in_previously_unused_region.yml @@ -29,6 +29,8 @@ tags: - Cloud Cryptomining kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1535 cis20: - CIS 12 nist: diff --git a/response_tasks/aws_investigate_security_hub_alerts_by_instance_id.yml b/response_tasks/aws_investigate_security_hub_alerts_by_instance_id.yml new file mode 100644 index 0000000000..8b8a866831 --- /dev/null +++ b/response_tasks/aws_investigate_security_hub_alerts_by_instance_id.yml @@ -0,0 +1,15 @@ +name: AWS Investigate Security Hub alerts by instance_id +id: b0d2e6a8-75fa-4b1b-9486-3d32acadf822 +version: 1 +date: '2020-06-08' +description: This search retrieves the all the alerts created by AWS Security Hub for a specific instance_id +how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) + and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail + inputs. +author: Bhavin Patel, Splunk +inputs: +- dest +search: 'sourcetype=aws:securityhub Resources{}.Id = "*$dest$" | stats count min(_time) as firstTime max(_time) as lastTime values(Types{}) values(ProductFields.*) by Title Description Resources{}.Id' +tags: + analytics_story: + - Cloud Compute Instance From 27c181287d1188cf4e46027867607e293c09ac81 Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 10 Jun 2020 16:44:39 -0700 Subject: [PATCH 2/9] adding draft reponses --- ...s_investigate_security_hub_alerts_by_dest.yml} | 5 +++-- ...c2_instance_investigation_and_notification.yml | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) rename response_tasks/{aws_investigate_security_hub_alerts_by_instance_id.yml => aws_investigate_security_hub_alerts_by_dest.yml} (82%) create mode 100644 response_tasks/ec2_instance_investigation_and_notification.yml diff --git a/response_tasks/aws_investigate_security_hub_alerts_by_instance_id.yml b/response_tasks/aws_investigate_security_hub_alerts_by_dest.yml similarity index 82% rename from response_tasks/aws_investigate_security_hub_alerts_by_instance_id.yml rename to response_tasks/aws_investigate_security_hub_alerts_by_dest.yml index 8b8a866831..bd7a77214e 100644 --- a/response_tasks/aws_investigate_security_hub_alerts_by_instance_id.yml +++ b/response_tasks/aws_investigate_security_hub_alerts_by_dest.yml @@ -1,8 +1,8 @@ -name: AWS Investigate Security Hub alerts by instance_id +name: AWS Investigate Security Hub alerts by dest id: b0d2e6a8-75fa-4b1b-9486-3d32acadf822 version: 1 date: '2020-06-08' -description: This search retrieves the all the alerts created by AWS Security Hub for a specific instance_id +description: This search retrieves the all the alerts created by AWS Security Hub for a specific dest(instance_id). how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. @@ -13,3 +13,4 @@ search: 'sourcetype=aws:securityhub Resources{}.Id = "*$dest$" | stats count mi tags: analytics_story: - Cloud Compute Instance + - Cloud Cryptomining diff --git a/response_tasks/ec2_instance_investigation_and_notification.yml b/response_tasks/ec2_instance_investigation_and_notification.yml new file mode 100644 index 0000000000..7d64650f7b --- /dev/null +++ b/response_tasks/ec2_instance_investigation_and_notification.yml @@ -0,0 +1,15 @@ +name: EC2 Instance Investigation and Notification +id: 3096f721-8842-42ce-2fc7-742d83722212 +version: 1 +date: '2020-06-10' +description: Investigate an AWS Security Hub finding related to an exposed EC2 instance which is being probed by potentially malicious traffic. Gather information about the EC2 configuration, the activity on the server, and any remote IP addresses that are directing traffic at the server. Notify and assign the appropriate people using a Jira ticket and a Slack message, then initiate a prompt to ask a responder whether or not the EC2 instance should be moved to an isolated EC2 Security Group using another playbook called "EC2 Instance Isolation". +how_to_implement: Synchronize the community playbook repository in Phantom, then open + the playbook and follow the deployment notes to configure it for your environment. +author: Philip Royer, Splunk +playbook: + name: ec2_instance_investigation_and_notification + url_json: https://github.com/phantomcyber/playbooks/blob/4.8/ec2_instance_investigation_and_notification.json + url_python: https://github.com/phantomcyber/playbooks/blob/4.8/ec2_instance_investigation_and_notification.py +tags: + analytics_story: + - AWS Suspicious Provisioning Activities \ No newline at end of file From d8c3ded0daa88657d078124eb197d1d7020f4a4e Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 10 Jun 2020 16:52:19 -0700 Subject: [PATCH 3/9] adding T1525 to mitre --- detections/gcp_gcr_container_uploaded.yml | 2 ++ detections/new_container_uploaded_to_aws_ecr.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/detections/gcp_gcr_container_uploaded.yml b/detections/gcp_gcr_container_uploaded.yml index 40c531d147..2c4b21a42d 100644 --- a/detections/gcp_gcr_container_uploaded.yml +++ b/detections/gcp_gcr_container_uploaded.yml @@ -25,3 +25,5 @@ tags: - Container Implantation Monitoring and Investigation security_domain: threat asset_type: GCP GCR Container + mitre_attack_id: + - T1525 diff --git a/detections/new_container_uploaded_to_aws_ecr.yml b/detections/new_container_uploaded_to_aws_ecr.yml index 78800dfcdf..8dbb7808cf 100644 --- a/detections/new_container_uploaded_to_aws_ecr.yml +++ b/detections/new_container_uploaded_to_aws_ecr.yml @@ -24,3 +24,5 @@ tags: - Container Implantation Monitoring and Investigation security_domain: threat asset_type: AWS ECR container + mitre_attack_id: + - T1525 From c1ccd745a2580c7d69b5f048343aa5c5650e88f5 Mon Sep 17 00:00:00 2001 From: bpatel Date: Mon, 22 Jun 2020 13:34:58 -0700 Subject: [PATCH 4/9] updated search --- .../aws_investigate_security_hub_alerts_by_dest.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/response_tasks/aws_investigate_security_hub_alerts_by_dest.yml b/response_tasks/aws_investigate_security_hub_alerts_by_dest.yml index bd7a77214e..9d4425c5dc 100644 --- a/response_tasks/aws_investigate_security_hub_alerts_by_dest.yml +++ b/response_tasks/aws_investigate_security_hub_alerts_by_dest.yml @@ -9,8 +9,11 @@ how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or late author: Bhavin Patel, Splunk inputs: - dest -search: 'sourcetype=aws:securityhub Resources{}.Id = "*$dest$" | stats count min(_time) as firstTime max(_time) as lastTime values(Types{}) values(ProductFields.*) by Title Description Resources{}.Id' +search: 'sourcetype="aws:securityhub:firehose" "findings{}.Resources{}.Type"=AWSEC2Instance +| rex field=findings{}.Resources{}.Id .*instance/(?.*) | search instance = $dest$ |rename findings{}.* as * | rename Remediation.Recommendation.Text as Remediation | table instance Title ProductArn Description FirstObservedAt RecordState Remediation' tags: analytics_story: - Cloud Compute Instance - Cloud Cryptomining + - Suspicious AWS EC2 Activities + - AWS Suspicious Provisioning Activities From 047680d82ef083726e46c16e9a0c91d0ca534dbd Mon Sep 17 00:00:00 2001 From: bpatel Date: Tue, 23 Jun 2020 16:59:30 -0700 Subject: [PATCH 5/9] untested playbook- remove for now --- ...c2_instance_investigation_and_notification.yml | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 response_tasks/ec2_instance_investigation_and_notification.yml diff --git a/response_tasks/ec2_instance_investigation_and_notification.yml b/response_tasks/ec2_instance_investigation_and_notification.yml deleted file mode 100644 index 7d64650f7b..0000000000 --- a/response_tasks/ec2_instance_investigation_and_notification.yml +++ /dev/null @@ -1,15 +0,0 @@ -name: EC2 Instance Investigation and Notification -id: 3096f721-8842-42ce-2fc7-742d83722212 -version: 1 -date: '2020-06-10' -description: Investigate an AWS Security Hub finding related to an exposed EC2 instance which is being probed by potentially malicious traffic. Gather information about the EC2 configuration, the activity on the server, and any remote IP addresses that are directing traffic at the server. Notify and assign the appropriate people using a Jira ticket and a Slack message, then initiate a prompt to ask a responder whether or not the EC2 instance should be moved to an isolated EC2 Security Group using another playbook called "EC2 Instance Isolation". -how_to_implement: Synchronize the community playbook repository in Phantom, then open - the playbook and follow the deployment notes to configure it for your environment. -author: Philip Royer, Splunk -playbook: - name: ec2_instance_investigation_and_notification - url_json: https://github.com/phantomcyber/playbooks/blob/4.8/ec2_instance_investigation_and_notification.json - url_python: https://github.com/phantomcyber/playbooks/blob/4.8/ec2_instance_investigation_and_notification.py -tags: - analytics_story: - - AWS Suspicious Provisioning Activities \ No newline at end of file From f955708bfc8cc7aba67c87002c2330dc9b71bbfa Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 24 Jun 2020 17:09:27 -0700 Subject: [PATCH 6/9] adding mitre id --- detections/abnormally_high_aws_instances_launched_by_user.yml | 3 +++ .../abnormally_high_aws_instances_launched_by_user___mltk.yml | 2 ++ .../abnormally_high_aws_instances_terminated_by_user.yml | 2 ++ ...abnormally_high_aws_instances_terminated_by_user___mltk.yml | 2 ++ ...s_cross_account_activity_from_previously_unseen_account.yml | 2 ++ ...loud_compute_instance_created_by_previously_unseen_user.yml | 2 ++ .../detect_aws_api_activities_from_unapproved_accounts.yml | 2 ++ detections/detect_aws_console_login_by_user_from_new_city.yml | 2 ++ .../detect_aws_console_login_by_user_from_new_country.yml | 2 ++ .../detect_aws_console_login_by_user_from_new_region.yml | 2 ++ detections/detect_new_api_calls_from_user_roles.yml | 2 ++ detections/detect_new_user_aws_console_login.yml | 2 ++ detections/detect_spike_in_aws_api_activity.yml | 2 ++ detections/detect_spike_in_security_group_activity.yml | 2 ++ .../ec2_instance_modified_with_previously_unseen_user.yml | 2 ++ .../ec2_instance_started_in_previously_unseen_region.yml | 3 +++ .../ec2_instance_started_with_previously_unseen_user.yml | 2 ++ 17 files changed, 36 insertions(+) diff --git a/detections/abnormally_high_aws_instances_launched_by_user.yml b/detections/abnormally_high_aws_instances_launched_by_user.yml index c53af3d951..2e78b07fc9 100644 --- a/detections/abnormally_high_aws_instances_launched_by_user.yml +++ b/detections/abnormally_high_aws_instances_launched_by_user.yml @@ -28,6 +28,9 @@ tags: - Suspicious AWS EC2 Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 + - T1496 cis20: - CIS 13 nist: diff --git a/detections/abnormally_high_aws_instances_launched_by_user___mltk.yml b/detections/abnormally_high_aws_instances_launched_by_user___mltk.yml index 41a777f6b4..be65d9b894 100644 --- a/detections/abnormally_high_aws_instances_launched_by_user___mltk.yml +++ b/detections/abnormally_high_aws_instances_launched_by_user___mltk.yml @@ -24,6 +24,8 @@ tags: - Suspicious AWS EC2 Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 cis20: - CIS 13 nist: diff --git a/detections/abnormally_high_aws_instances_terminated_by_user.yml b/detections/abnormally_high_aws_instances_terminated_by_user.yml index bac36b30da..1da461f261 100644 --- a/detections/abnormally_high_aws_instances_terminated_by_user.yml +++ b/detections/abnormally_high_aws_instances_terminated_by_user.yml @@ -28,6 +28,8 @@ tags: - Suspicious AWS EC2 Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 cis20: - CIS 13 nist: diff --git a/detections/abnormally_high_aws_instances_terminated_by_user___mltk.yml b/detections/abnormally_high_aws_instances_terminated_by_user___mltk.yml index 94c4b059e3..f98cd8c857 100644 --- a/detections/abnormally_high_aws_instances_terminated_by_user___mltk.yml +++ b/detections/abnormally_high_aws_instances_terminated_by_user___mltk.yml @@ -23,6 +23,8 @@ tags: - Suspicious AWS EC2 Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 cis20: - CIS 13 nist: diff --git a/detections/aws_cross_account_activity_from_previously_unseen_account.yml b/detections/aws_cross_account_activity_from_previously_unseen_account.yml index 0856164363..1540a3dc64 100644 --- a/detections/aws_cross_account_activity_from_previously_unseen_account.yml +++ b/detections/aws_cross_account_activity_from_previously_unseen_account.yml @@ -35,6 +35,8 @@ tags: - AWS Cross Account Activity kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 cis20: - CIS 16 nist: diff --git a/detections/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud_compute_instance_created_by_previously_unseen_user.yml index 07dbaa29f6..b8353f7744 100644 --- a/detections/cloud_compute_instance_created_by_previously_unseen_user.yml +++ b/detections/cloud_compute_instance_created_by_previously_unseen_user.yml @@ -28,6 +28,8 @@ tags: - Cloud Cryptomining cis20: - CIS 1 + mitre_attack_id: + - T1078 nist: - ID.AM security_domain: endpoint diff --git a/detections/detect_aws_api_activities_from_unapproved_accounts.yml b/detections/detect_aws_api_activities_from_unapproved_accounts.yml index 6539c00e6e..6b5d0f1902 100644 --- a/detections/detect_aws_api_activities_from_unapproved_accounts.yml +++ b/detections/detect_aws_api_activities_from_unapproved_accounts.yml @@ -51,6 +51,8 @@ tags: - Actions on Objectives cis20: - CIS 16 + mitre_attack_id: + - T1078 nist: - DE.DP - DE.CM diff --git a/detections/detect_aws_console_login_by_user_from_new_city.yml b/detections/detect_aws_console_login_by_user_from_new_city.yml index a3797cc46e..63ab5474a1 100644 --- a/detections/detect_aws_console_login_by_user_from_new_city.yml +++ b/detections/detect_aws_console_login_by_user_from_new_city.yml @@ -32,6 +32,8 @@ tags: - Suspicious AWS Login Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1535 cis20: - CIS 16 nist: diff --git a/detections/detect_aws_console_login_by_user_from_new_country.yml b/detections/detect_aws_console_login_by_user_from_new_country.yml index 60fccc3b0a..b7d7713507 100644 --- a/detections/detect_aws_console_login_by_user_from_new_country.yml +++ b/detections/detect_aws_console_login_by_user_from_new_country.yml @@ -32,6 +32,8 @@ tags: - Suspicious AWS Login Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1535 cis20: - CIS 16 nist: diff --git a/detections/detect_aws_console_login_by_user_from_new_region.yml b/detections/detect_aws_console_login_by_user_from_new_region.yml index 47ac42c4f2..ad7cbada7b 100644 --- a/detections/detect_aws_console_login_by_user_from_new_region.yml +++ b/detections/detect_aws_console_login_by_user_from_new_region.yml @@ -32,6 +32,8 @@ tags: - Suspicious AWS Login Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1535 cis20: - CIS 16 nist: diff --git a/detections/detect_new_api_calls_from_user_roles.yml b/detections/detect_new_api_calls_from_user_roles.yml index ccba53241e..898e93db3b 100644 --- a/detections/detect_new_api_calls_from_user_roles.yml +++ b/detections/detect_new_api_calls_from_user_roles.yml @@ -28,6 +28,8 @@ known_false_positives: It is possible that there are legitimate user roles makin tags: analytics_story: - AWS User Monitoring + mitre_attack_id: + - T1078 cis20: - CIS 1 nist: diff --git a/detections/detect_new_user_aws_console_login.yml b/detections/detect_new_user_aws_console_login.yml index 18071951e4..33f7c81de0 100644 --- a/detections/detect_new_user_aws_console_login.yml +++ b/detections/detect_new_user_aws_console_login.yml @@ -29,6 +29,8 @@ tags: - Suspicious AWS Login Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 cis20: - CIS 16 nist: diff --git a/detections/detect_spike_in_aws_api_activity.yml b/detections/detect_spike_in_aws_api_activity.yml index 297e860092..aaa5ccb783 100644 --- a/detections/detect_spike_in_aws_api_activity.yml +++ b/detections/detect_spike_in_aws_api_activity.yml @@ -54,6 +54,8 @@ tags: - AWS User Monitoring kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 cis20: - CIS 16 nist: diff --git a/detections/detect_spike_in_security_group_activity.yml b/detections/detect_spike_in_security_group_activity.yml index 92c2cc49ae..ea9f1d25dd 100644 --- a/detections/detect_spike_in_security_group_activity.yml +++ b/detections/detect_spike_in_security_group_activity.yml @@ -39,6 +39,8 @@ tags: - AWS User Monitoring kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 cis20: - CIS 16 nist: diff --git a/detections/ec2_instance_modified_with_previously_unseen_user.yml b/detections/ec2_instance_modified_with_previously_unseen_user.yml index 88e2e4f956..f6c67ea26c 100644 --- a/detections/ec2_instance_modified_with_previously_unseen_user.yml +++ b/detections/ec2_instance_modified_with_previously_unseen_user.yml @@ -26,6 +26,8 @@ known_false_positives: It's possible that a new user will start to modify EC2 in tags: analytics_story: - Unusual AWS EC2 Modifications + mitre_attack_id: + - T1078 cis20: - CIS 1 nist: diff --git a/detections/ec2_instance_started_in_previously_unseen_region.yml b/detections/ec2_instance_started_in_previously_unseen_region.yml index ab52ff8feb..e2a2d6f12d 100644 --- a/detections/ec2_instance_started_in_previously_unseen_region.yml +++ b/detections/ec2_instance_started_in_previously_unseen_region.yml @@ -27,6 +27,9 @@ tags: - Suspicious AWS EC2 Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1078 + - T1535 cis20: - CIS 12 nist: diff --git a/detections/ec2_instance_started_with_previously_unseen_user.yml b/detections/ec2_instance_started_with_previously_unseen_user.yml index 2eb9eec2d6..b2f4bdce6a 100644 --- a/detections/ec2_instance_started_with_previously_unseen_user.yml +++ b/detections/ec2_instance_started_with_previously_unseen_user.yml @@ -27,6 +27,8 @@ tags: analytics_story: - AWS Cryptomining - Suspicious AWS EC2 Activities + mitre_attack_id: + - T1078 cis20: - CIS 1 nist: From 3c1d9cb4166668a8e284be6690cad3f31898faf9 Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 24 Jun 2020 17:11:33 -0700 Subject: [PATCH 7/9] adding T1098 --- detections/detect_new_api_calls_from_user_roles.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detections/detect_new_api_calls_from_user_roles.yml b/detections/detect_new_api_calls_from_user_roles.yml index 898e93db3b..c0a1bf5067 100644 --- a/detections/detect_new_api_calls_from_user_roles.yml +++ b/detections/detect_new_api_calls_from_user_roles.yml @@ -30,6 +30,7 @@ tags: - AWS User Monitoring mitre_attack_id: - T1078 + - T1098 cis20: - CIS 1 nist: From c812c56d87bcb03fed90fc7b42c6bbf0323a4ab9 Mon Sep 17 00:00:00 2001 From: bpatel Date: Wed, 24 Jun 2020 17:21:02 -0700 Subject: [PATCH 8/9] updates with T1530 --- detections/detect_new_open_s3_buckets.yml | 2 ++ detections/detect_s3_access_from_a_new_ip.yml | 2 ++ detections/detect_spike_in_s3_bucket_deletion.yml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/detections/detect_new_open_s3_buckets.yml b/detections/detect_new_open_s3_buckets.yml index 889947bac6..bce49e3cf9 100644 --- a/detections/detect_new_open_s3_buckets.yml +++ b/detections/detect_new_open_s3_buckets.yml @@ -25,6 +25,8 @@ tags: - Suspicious AWS S3 Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1530 cis20: - CIS 13 nist: diff --git a/detections/detect_s3_access_from_a_new_ip.yml b/detections/detect_s3_access_from_a_new_ip.yml index 0230e522c9..9d9367c70c 100644 --- a/detections/detect_s3_access_from_a_new_ip.yml +++ b/detections/detect_s3_access_from_a_new_ip.yml @@ -28,6 +28,8 @@ tags: - Suspicious AWS S3 Activities kill_chain_phases: - Actions on Objectives + mitre_attack_id: + - T1530 cis20: - CIS 13 - CIS 14 diff --git a/detections/detect_spike_in_s3_bucket_deletion.yml b/detections/detect_spike_in_s3_bucket_deletion.yml index ddfd7e1b94..6bed383c97 100644 --- a/detections/detect_spike_in_s3_bucket_deletion.yml +++ b/detections/detect_spike_in_s3_bucket_deletion.yml @@ -36,6 +36,8 @@ known_false_positives: Based on the values of`dataPointThreshold` and `deviation tags: analytics_story: - Suspicious AWS S3 Activities + mitre_attack_id: + - T1530 kill_chain_phases: - Actions on Objectives cis20: From 836c123569703e72fa221742d40de035cdde2969 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 25 Jun 2020 13:57:54 -0700 Subject: [PATCH 9/9] Update abnormally_high_aws_instances_launched_by_user.yml --- detections/abnormally_high_aws_instances_launched_by_user.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detections/abnormally_high_aws_instances_launched_by_user.yml b/detections/abnormally_high_aws_instances_launched_by_user.yml index 2e78b07fc9..5a496f8565 100644 --- a/detections/abnormally_high_aws_instances_launched_by_user.yml +++ b/detections/abnormally_high_aws_instances_launched_by_user.yml @@ -30,7 +30,6 @@ tags: - Actions on Objectives mitre_attack_id: - T1078 - - T1496 cis20: - CIS 13 nist: