-
Notifications
You must be signed in to change notification settings - Fork 353
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
78 changed files
with
1,873 additions
and
1,459 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
name: Previously seen users in CloudTrail - DM | ||
id: 0a87ecf9-dc6a-43af-861a-205e75a09bf5 | ||
version: 1 | ||
date: '2020-05-28' | ||
description: This search looks for CloudTrail events where a user logs into the console, | ||
then creates a baseline of the latest and earliest times, City, Region, and Country | ||
we have encountered this user in our dataset, grouped by username, within the last 30 | ||
days. | ||
how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) | ||
and Enterprise Security 6.2, which contains the required updates to the Authentication data model | ||
for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, | ||
which is a lookup file created by this support search. | ||
author: Rico Valdez, Splunk | ||
search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication | ||
where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | ||
| iplocation Authentication.src | rename Authentication.user as user Authentication.src as src | ||
| table user src City Region Country firstTime lastTime | outputlookup previously_seen_users_console_logins.csv | stats count' | ||
tags: | ||
analytics_story: | ||
- Suspicious Cloud Authentication Activities | ||
detections: | ||
- Detect AWS Console Login by User from New Country | ||
- Detect AWS Console Login by User from New Region | ||
- Detect AWS Console Login by User from New City | ||
- Detect new user AWS Console Login - DM |
27 changes: 27 additions & 0 deletions
27
baselines/update_previously_seen_users_in_cloudtrail___dm.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
name: Update previously seen users in CloudTrail - DM | ||
id: 66ff71c2-7e01-47dd-a041-906688c9d322 | ||
version: 1 | ||
date: '2020-05-28' | ||
description: This search looks for CloudTrail events where a user logs into the console, | ||
then updates the baseline of the latest and earliest times, City, Region, and Country | ||
we have encountered this user in our dataset, grouped by user, within the last hour. | ||
how_to_implement: You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) | ||
and Enterprise Security 6.2, which contains the required updates to the Authentication data model | ||
for cloud use cases. Validate the user name entries in `previously_seen_users_console_logins.csv`, | ||
which is a lookup file created by this support search. | ||
author: Rico Valdez, Splunk | ||
search: '| tstats earliest(_time) as firstTime latest(_time) as lastTime from | ||
datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | ||
Authenticaiton.src | iplocation Authentication.src | rename Authentication.user as user | ||
Authentciation.src as src | table user src City Region Country firstTime lastTime | ||
| inputlookup append=t previously_seen_users_console_logins.csv | stats min(firstTime) as | ||
firstTime max(lastTime) as lastTime by user src City Region Country | ||
| outputlookup previously_seen_users_console_logins.csv' | ||
tags: | ||
analytics_story: | ||
- Suspicious Cloud Authentication Activities | ||
detections: | ||
- Detect AWS Console Login by User from New Country | ||
- Detect AWS Console Login by User from New Region | ||
- Detect AWS Console Login by User from New City | ||
- Detect new user AWS Console Login - DM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
name: Baseline Cache Hourly Updates | ||
id: 1030c701-2acf-4b1a-9970-46c7145caf2d | ||
date: '2020-06-24' | ||
description: This configuration file applies to all baselines with tag deployments Hourly Cache Updates | ||
author: Bhavin Patel | ||
scheduling: | ||
cron_schedule: '55 * * * *' | ||
earliest_time: -70m@m | ||
latest_time: -10m@m | ||
schedule_window: auto | ||
tags: | ||
deployments: | ||
- Hourly Cache Updates |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
name: Long Running Baseline Searches | ||
id: 6eac9f8b-a35d-4b64-b57f-e5ecde43be6b | ||
date: '2020-06-24' | ||
description: This configuration file applies to all baselines with tag deployments Long Running Baseline | ||
author: Bhavin Patel | ||
scheduling: | ||
cron_schedule: '0 7 * * *' | ||
earliest_time: -7d | ||
latest_time: -now | ||
schedule_window: auto | ||
tags: | ||
deployments: | ||
- Long Running Baseline |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -51,6 +51,8 @@ tags: | |
- Actions on Objectives | ||
cis20: | ||
- CIS 16 | ||
mitre_attack_id: | ||
- T1078 | ||
nist: | ||
- DE.DP | ||
- DE.CM | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.