From 6da6231f1e08c30ed43e765f0bb863dbd366c0aa Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 22 Oct 2024 10:29:06 -0700 Subject: [PATCH 1/2] Update erroneous cloud security_domain to valid values --- .../abnormally_high_number_of_cloud_instances_destroyed.yml | 2 +- .../abnormally_high_number_of_cloud_instances_launched.yml | 2 +- detections/cloud/asl_aws_iam_failure_group_deletion.yml | 2 +- detections/cloud/asl_aws_iam_successful_group_deletion.yml | 2 +- detections/cloud/aws_iam_failure_group_deletion.yml | 2 +- detections/cloud/aws_iam_successful_group_deletion.yml | 2 +- detections/cloud/aws_lambda_updatefunctioncode.yml | 2 +- detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index 48075ebea8..0e7105ea8d 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -66,4 +66,4 @@ tags: - All_Changes.object_category - All_Changes.user risk_score: 25 - security_domain: cloud + security_domain: threat diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index bfd7a1a798..54d2251fe6 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -62,4 +62,4 @@ tags: - All_Changes.object_category - All_Changes.user risk_score: 25 - security_domain: cloud + security_domain: threat diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index 1161356d59..c096875e63 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -53,7 +53,7 @@ tags: - src_endpoint.ip - cloud.region risk_score: 5 - security_domain: cloud + security_domain: access tests: - name: True Positive Test attack_data: diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 516e79ee01..50dd43fba5 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -58,7 +58,7 @@ tags: - src_endpoint.ip - cloud.region risk_score: 5 - security_domain: cloud + security_domain: access tests: - name: True Positive Test attack_data: diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index f8fefbf830..b6c4ad3b80 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -52,7 +52,7 @@ tags: - errorCode - requestParameters.groupName risk_score: 5 - security_domain: cloud + security_domain: access tests: - name: True Positive Test attack_data: diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index 93a102d397..b21b638ce9 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -65,7 +65,7 @@ tags: - errorCode - requestParameters.groupName risk_score: 5 - security_domain: cloud + security_domain: access tests: - name: True Positive Test attack_data: diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index 50775d3bdf..c6c23fffb7 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -54,7 +54,7 @@ tags: - userAgent - errorCode risk_score: 63 - security_domain: cloud + security_domain: threat tests: - name: True Positive Test attack_data: diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index f59ea8a355..2368774b4f 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -42,7 +42,7 @@ tags: required_fields: - _time risk_score: 70 - security_domain: cloud + security_domain: threat tests: - name: True Positive Test attack_data: From c5f378eed8966dd6617b2c4cedc9d2b33a80539a Mon Sep 17 00:00:00 2001 From: pyth0n1c Date: Tue, 22 Oct 2024 10:38:25 -0700 Subject: [PATCH 2/2] bump all versions and dates --- .../abnormally_high_number_of_cloud_instances_destroyed.yml | 4 ++-- .../abnormally_high_number_of_cloud_instances_launched.yml | 4 ++-- detections/cloud/asl_aws_iam_failure_group_deletion.yml | 4 ++-- detections/cloud/asl_aws_iam_successful_group_deletion.yml | 4 ++-- detections/cloud/aws_iam_failure_group_deletion.yml | 4 ++-- detections/cloud/aws_iam_successful_group_deletion.yml | 4 ++-- detections/cloud/aws_lambda_updatefunctioncode.yml | 4 ++-- detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml | 4 ++-- 8 files changed, 16 insertions(+), 16 deletions(-) diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index 0e7105ea8d..042f705b4b 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Instances Destroyed id: ef629fc9-1583-4590-b62a-f2247fbf7bbf -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-10-22' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index 54d2251fe6..555914d18f 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Instances Launched id: f2361e9f-3928-496c-a556-120cd4223a65 -version: 4 -date: '2024-10-17' +version: 5 +date: '2024-10-22' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index c096875e63..b82b466708 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-10-22' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 50dd43fba5..3931ef4f5b 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Successful Group Deletion id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-10-22' author: Patrick Bareiss, Splunk status: production type: Hunting diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index b6c4ad3b80..00cbe505ec 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -1,7 +1,7 @@ name: AWS IAM Failure Group Deletion id: 723b861a-92eb-11eb-93b8-acde48001122 -version: 4 -date: '2024-09-30' +version: 5 +date: '2024-10-22' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index b21b638ce9..ceea49388c 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -1,7 +1,7 @@ name: AWS IAM Successful Group Deletion id: e776d06c-9267-11eb-819b-acde48001122 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-10-22' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index c6c23fffb7..e25a16f1e2 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -1,7 +1,7 @@ name: AWS Lambda UpdateFunctionCode id: 211b80d3-6340-4345-11ad-212bf3d0d111 -version: 3 -date: '2024-10-17' +version: 4 +date: '2024-10-22' author: Bhavin Patel, Splunk status: production type: Hunting diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index 2368774b4f..56c82d08e1 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -1,7 +1,7 @@ name: Risk Rule for Dev Sec Ops by Repository id: 161bc0ca-4651-4c13-9c27-27770660cf67 -version: 3 -date: '2024-09-30' +version: 4 +date: '2024-10-22' author: Bhavin Patel status: production type: Correlation