Across the latest content release, the Threat Labs team has made a series of new AWS specific detections and a set of improvements both to the mappers and parser to include proper inbound / outbound network connection directional flow, and port assignments for AWS GuardDuty. Additional context and minor corrections/improvements can found within the list below.
Rules
- [New] MATCH-S00874 AWS Lambda Function Recon
- [New] MATCH-S00875 AWS VPC FLow Log Deletion
- [New] MATCH-S00876 Potential AWS Security Credential Access via curl
- [Updated] MATCH-S00226 Azure - Add Member to Group, TLAB-542 Update Azure Group Add rule and mapper addition, Keys updated:
summary_expression
,normalized_summary
Log Mappers
- [Updated] AWS GuardDuty Alerts from Sumo CIP
- [Updated] AWSGuardDuty_Backdoor
- [Updated] AWSGuardDuty_Behavior
- [Updated] AWSGuardDuty_Catch_All
- [Updated] AWSGuardDuty_CryptoCurrency
- [Updated] AWSGuardDuty_Discovery
- [Updated] AWSGuardDuty_Exfiltration
- [Updated] AWSGuardDuty_PenTest
- [Updated] AWSGuardDuty_Trojan
- [Updated] AzureActivityLog AuditLogs
- [Updated] Recon_EC2_PortProbeUnprotectedPort
- [Updated] Recon_EC2_Portscan
- [Updated] Recon_IAMUser
- [Updated] UnauthorizedAccess_EC2_SSHBruteForce
- [Updated] UnauthorizedAccess_EC2_TorClient
- [Updated] UnauthorizedAccess_EC2_TorIPCaller
- [Updated] UnauthorizedAccess_EC2_TorRelay
- [Updated] UnauthorizedAccess_IAMUser
Parsers
- [Updated] /Parsers/System/AWS/AWS S3 Server Access Logs, AWS S3 Server Access Logs Parser Fix Related to New Fields and Wrapper
- [Updated] /Parsers/System/Cisco/Cisco ASA, Modifies ASA header parser to account for additional delimiter variant
- [Updated] /Parsers/System/AWS/GuardDuty