Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update erroneous cloud security_domain #3172

Merged
merged 4 commits into from
Oct 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Abnormally High Number Of Cloud Instances Destroyed
id: ef629fc9-1583-4590-b62a-f2247fbf7bbf
version: 3
date: '2024-10-17'
version: 4
date: '2024-10-22'
author: David Dorsey, Splunk
status: experimental
type: Anomaly
Expand Down Expand Up @@ -66,4 +66,4 @@ tags:
- All_Changes.object_category
- All_Changes.user
risk_score: 25
security_domain: cloud
security_domain: threat
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Abnormally High Number Of Cloud Instances Launched
id: f2361e9f-3928-496c-a556-120cd4223a65
version: 4
date: '2024-10-17'
version: 5
date: '2024-10-22'
author: David Dorsey, Splunk
status: experimental
type: Anomaly
Expand Down Expand Up @@ -62,4 +62,4 @@ tags:
- All_Changes.object_category
- All_Changes.user
risk_score: 25
security_domain: cloud
security_domain: threat
6 changes: 3 additions & 3 deletions detections/cloud/asl_aws_iam_failure_group_deletion.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: ASL AWS IAM Failure Group Deletion
id: 8d12f268-c567-4557-9813-f8389e235c06
version: 4
date: '2024-09-30'
version: 5
date: '2024-10-22'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
Expand Down Expand Up @@ -53,7 +53,7 @@ tags:
- src_endpoint.ip
- cloud.region
risk_score: 5
security_domain: cloud
security_domain: access
tests:
- name: True Positive Test
attack_data:
Expand Down
6 changes: 3 additions & 3 deletions detections/cloud/asl_aws_iam_successful_group_deletion.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: ASL AWS IAM Successful Group Deletion
id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac
version: 3
date: '2024-10-17'
version: 4
date: '2024-10-22'
author: Patrick Bareiss, Splunk
status: production
type: Hunting
Expand Down Expand Up @@ -58,7 +58,7 @@ tags:
- src_endpoint.ip
- cloud.region
risk_score: 5
security_domain: cloud
security_domain: access
tests:
- name: True Positive Test
attack_data:
Expand Down
6 changes: 3 additions & 3 deletions detections/cloud/aws_iam_failure_group_deletion.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: AWS IAM Failure Group Deletion
id: 723b861a-92eb-11eb-93b8-acde48001122
version: 4
date: '2024-09-30'
version: 5
date: '2024-10-22'
author: Michael Haag, Splunk
status: production
type: Anomaly
Expand Down Expand Up @@ -52,7 +52,7 @@ tags:
- errorCode
- requestParameters.groupName
risk_score: 5
security_domain: cloud
security_domain: access
tests:
- name: True Positive Test
attack_data:
Expand Down
6 changes: 3 additions & 3 deletions detections/cloud/aws_iam_successful_group_deletion.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: AWS IAM Successful Group Deletion
id: e776d06c-9267-11eb-819b-acde48001122
version: 3
date: '2024-10-17'
version: 4
date: '2024-10-22'
author: Michael Haag, Splunk
status: production
type: Hunting
Expand Down Expand Up @@ -65,7 +65,7 @@ tags:
- errorCode
- requestParameters.groupName
risk_score: 5
security_domain: cloud
security_domain: access
tests:
- name: True Positive Test
attack_data:
Expand Down
6 changes: 3 additions & 3 deletions detections/cloud/aws_lambda_updatefunctioncode.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: AWS Lambda UpdateFunctionCode
id: 211b80d3-6340-4345-11ad-212bf3d0d111
version: 3
date: '2024-10-17'
version: 4
date: '2024-10-22'
author: Bhavin Patel, Splunk
status: production
type: Hunting
Expand Down Expand Up @@ -54,7 +54,7 @@ tags:
- userAgent
- errorCode
risk_score: 63
security_domain: cloud
security_domain: threat
tests:
- name: True Positive Test
attack_data:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Risk Rule for Dev Sec Ops by Repository
id: 161bc0ca-4651-4c13-9c27-27770660cf67
version: 3
date: '2024-09-30'
version: 4
date: '2024-10-22'
author: Bhavin Patel
status: production
type: Correlation
Expand Down Expand Up @@ -42,7 +42,7 @@ tags:
required_fields:
- _time
risk_score: 70
security_domain: cloud
security_domain: threat
tests:
- name: True Positive Test
attack_data:
Expand Down