Rules
Updates several Azure based rules to account for modifications made to normalization mappers.
- [New] MATCH-S00873 AWS EKS Cluster Configuration Updated: AWS EKS clusters contain various configuration options, including for which IP addresses can access the cluster API. Ensure that this change is authorized and expected.
- [New] MATCH-S00872 AWS EKS Failed Curl Authentication Attempt: Failed instances of curl usage within a containerized environment should occur rarely. Investigate the source IP address used to ensure that it is legitimate.
- [New] MATCH-S00871 AWS EKS Pod Shared Object Modification or Creation: A Kubernetes pod was either created, updated or patched with a shared process namespace.
- [New] MATCH-S00870 AWS EKS Secrets Created: Kubernetes secrets may be created for legitimate purposes. Ensure that the secret created is from an IAM account that is expected to manage Kubernetes workloads on EKS.
- [New] MATCH-S00869 AWS EKS Secrets Deleted: Kubernetes secrets may be deleted for legitimate purposes. Ensure that the secret created is from an IAM account that is expected to manage Kubernetes workloads on EKS.
- [New] FIRST-S00036 First Seen AWS EKS API Call via CloudTrail from User: The user
user_username
has performed an operation on an EKS cluster for the first time since the baseline period. - [New] FIRST-S00037 First Seen AWS EKS Admission Controller Created by IP Address: First Seen Admission Controllers (submit a new MutatingWebhookConfiguration or ValidatingWebhookConfiguration object via the Kubernetes API, or update an existing one.)
- [New] FIRST-S00035 First Seen AWS EKS Secrets Enumeration from IP Address:
srcDevice_ip
has enumerated secrets on an AWS EKS cluster for the first time since the baseline period. - [New] FIRST-S00034 First Seen Session Token Granted to User from New IP: An AWS Session token was issued for the first time since the baseline period to
user_username
using the IP address ofsrcDevice_ip
. - [New] FIRST-S00033 First Seen Terminal-Attached Pod Deployed to EKS: A pod was deployed with an attached terminal (stdin=true,stdout=true,tty=true) for the first time since the baseline period.
- [New] THRESHOLD-S00114 HTTP Response Error Spike to AWS EKS: HTTP web services provide response codes to client requests. The response code numbers in the 400s are used to indicate a client related error and response code numbers in the 500s represent server related errors. This rule looks for a AWS EKS cluster receiving a large frequency of web errors within a short period of time. It is unusual for a web client to cause this many errors in a short period of time. Common occurrences for this behavior is scanning/probing activity or scripted web clients which are now encountering errors due to a misconfiguration or recent change. This rule alerts when a host on the monitored network triggers the threshold.
- [New] MATCH-S00868 New Binding Role Created on AWS EKS: A role binding grants a resource superuser or administrative access to a Kubernetes cluster. Ensure this action is expected and performed by known Kubernetes administrators.
- [New] MATCH-S00867 New Cluster Admin Binding Role Created on AWS EKS: A cluster-admin role binding grants a resource superuser or administrative access to a Kubernetes cluster. Ensure this action is expected and performed by known Kubernetes administrators.
- [New] MATCH-S00866 Privileged Pod Created on AWS EKS: Privileged containers have all capabilities of the host machine. These privileged containers may perform actions directly on the host that they are running on. Ensure that this event is expected and occurs from a user account or IP address that normally works with privileged containers within the cluster. Customers are encouraged to set up an exclusion list for
spec.securitycontext.capabilities
for pods that are frequently going to be managed with privileged escalation. - [Updated] MATCH-S00864 Azure Firewall Rule Modified
- [Updated] MATCH-S00839 Azure Virtual Machine RunCommand Issued
- [Updated] FIRST-S00021 First Seen Azure Virtual Machine Run Command Issued by User
- [Updated] FIRST-S00032 First Seen Kubectl Command From User: Expanded record types considered to include Endpoint.
- [Updated] CHAIN-S00012 Potential Azure Persistence via Automation Accounts
- [Updated] MATCH-S00167 Recon Using Common Windows Commands: Narrowed rule criteria to Windows executables to prevent erroneous matches from *nix based systems
Log Mappers
- [New] Administrator Audit Trail: Modified CyberArk EPM mappers to include alternate field values.
- [New] Administrator Logon
- [New] Darktrace Parser - Anomalous Connection: Modifies Darktrace mappers to include alternate field values and supports additional events.
- [New] Darktrace Parser - Brute Force Attempt
- [New] DocuSign Monitor - Alert
- [New] DocuSign Monitor - Catch All: Adds support for DocuSign Monitor events via C2C.
- [New] Druva inSync - Catch All: Adds support for Druva events via C2C.
- [New] Jamf Audit User - Authentication
- [New] Jamf Audit User - Endpoint
- [New] Jamf Audit User - Network
- [New] Workday - Sign On: Expands mapping support for Workday logs ingested via C2C.
- [Updated] Azure Administrative logs
- [Updated] Cisco Meraki IDS Alert - C2C: Corrects typo in mapper for some IP/port fields
- [Updated] Darktrace Parser - Catch All:
- [Updated] Darktrace Parser - New Device
- [Updated] Darktrace Parser Events
- [Updated] Jamf Audit User - Audit
- [Updated] Sysdig Benchmark JSON: Corrects bug in severity mapping for Sysdig mappers.
- [Updated] Sysdig Policy Detection JSON: Corrects bug in severity mapping for Sysdig mappers.
- [Updated] Sysdig Scanning JSON: Corrects bug in severity mapping for Sysdig mappers.
- [Updated] Workday - Catch All: Expands mapping support for Workday logs ingested via C2C.
- [Updated] Zscaler - Nanolog Streaming Service - JSON: Corrects NSS record type to NetworkProxy instead of NetworkFlow
Parsers
Adds support for DocuSign Monitor and Druva inSync Cloud, and additional support for Meraki, CyberArk, and Workday events.
- [New] /Parsers/System/DocuSign/DocuSign Monitor
- [New] /Parsers/System/Druva/Druva inSync Cloud
- [Updated] /Parsers/System/Cisco/Cisco Meraki: Strip off extraneous … from URLs
- [Updated] /Parsers/System/Cyber-Ark/CyberArk EPM JSON: Corrected time parsing
- [Updated] /Parsers/System/Darktrace/Darktrace JSON
- [Updated] /Parsers/System/Duo Security/Duo Multi-Factor Authentication: Duo Parser Fix for Setting Event ID Correctly
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CEF: Adds support for Network events ingested via a log forwarder or Cortex Data Lake.
- [Updated] /Parsers/System/Workday/Workday