October 04, 2024 - Content Release
This content release includes:
- Detection rules centered around Amazon Bedrock activities.
- Consolidation of AWS CloudTrail mappers to replicate current mapper behavior with fewer distinct mappers.
- New support for GitHub Enterprise Audit (parsing and mapping).
- New support for Honeywell Pro-Watch (parsing and mapping).
- New support for Citrix Zendesk (parsing and mapping).
- Further mapping updates to better employ Normalized Classification fields across data sources.
- Removal of some duplicate mapped fields.
- Other changes enumerated below.
Rules​
- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed
- An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized. Take a look at the full event details, particularly the requestParameters.loggingConfig* fields in order to see what specific configuration values were changed. Telemetry and logging configuration changes should be a relatively rare occurrence in the environment.
- [New] MATCH-S00922 AWS Bedrock Agent Created
- This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
- [New] MATCH-S00924 AWS Bedrock Guardrail Deleted
- AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change. Look at other activity from this user account, focusing on the Bedrock service and pivoting from there if the event is deemed suspicious.
- [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User
- A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock. However, it could also be a malicious attempt at running a particular model via AWS Bedrock. Take a look at the username, IP address, role type, role and model via the "requestParameters.modelId" field.
- [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User
- A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model. Ensure this model is authorized to be utilized in the environment and that the user requesting access to the model is authorized to perform these actions.
- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
- A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock. The http_userAgent field will contain the user agent used to perform this enumeration and will help determine whether a browser or CLI tool was used to perform this type of enumeration. Consider excluding service accounts and authorized users from this rule via a rule tuning expression if excessive signal activity is observed.
- [New] FIRST-S00084 - First Seen AWS Bedrock API Call from User
- This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services. Look at the "action" field to determine what API calls are being made and whether this activity is expected.
- [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
- An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation. Bedrock Agents can be configured with various parameters to build AI applications. Take a look at the "responseElements.agent.agentName" field to see the name of the agent being created. Ensure that the user creating the agent is authorized to develop AI applications within the environment.
- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period. This signal is designed to pair with “Trufflehog AWS Credential Verification Detected” to provide coverage for legitimate and internal Trufflehog scans. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
- [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
- AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM. The following AWS documentation outlines this behavior: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html. Look at other events the user in question is performing in order to investigate this signal. Consider excluding authorized users via a match list if this signal is triggering too many false positives.
- [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User
- An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
- [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
- An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts. Observe the username, role, user agent and source IP to confirm whether this activity is expected. If this signal is triggering frequently, consider excluding certain authorized users via tuning expression.
- [New] OUTLIER-S00024 - AWS DynamoDB Outlier in GetItem Events from User
- An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances. Consider excluding authorized users from this signal or tweaking the minimum count value if this signal is triggering too often. Data events from DynamoDB are required in order for this signal to function.
- [New] OUTLIER-S00025 - AWS S3 Outlier in PutObject Denied Events
- This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function. Denied PutObject access events can stem from IAM policies or bucket policies. Look at the user, role, IP address from the events to determine whether this activity is expected. In certain cases, access denied events to S3 can also result in unexpected AWS charges.
- [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call. Within this telemetry, the user_username field will contain the value of the username associated with the secret or credential that Trufflehog is attempting to verify. Look at the events surrounding the source IP address of this event. Look for any potential areas that may have contained keys or secrets for the user_username value.
Log Mappers​
New Event/Source Support​
- [New] Fortinet utm-ssl Logs
- [New] GitHub Enterprise Audit - Access Events
- [New] GitHub Enterprise Audit - Authentication Events
- [New] GitHub Enterprise Audit - Create Events
- [New] GitHub Enterprise Audit - Modify Events
- [New] GitHub Enterprise Audit - Remove Events
- [New] GitHub Enterprise Audit - Restore Events
- [New] GitHub Enterprise Audit - Transfer Events
- [New] GitHub Enterprise Audit Catch All
- [New] Honeywell Pro-Watch Catch All
- [New] Zendesk Catch All
Extended Normalized Classification Support​
- [Updated] Azure Event Hub - Windows Defender Logs
- [Updated] Azure ManagedIdentitySignInLogs
- [Updated] Azure NonInteractiveUserSignInLogs
- [Updated] Azure ServicePrincipalSignInLogs
- [Updated] Azure Write and Delete Logs
- [Updated] AzureActivityLog 01
- [Updated] Carbon Black Cloud - Observation event
- [Updated] Carbon Black Cloud Script Load
- [Updated] Cisco ASA 109005-8 JSON
- [Updated] Cisco ASA 113005
- [Updated] Cisco ASA 113005 JSON
- [Updated] Cisco ASA 113012-17 JSON
- [Updated] Cisco ASA 716039 JSON
- [Updated] Cisco ASA 719022-3 JSON
- [Updated] Cisco ASA 751011 JSON
- [Updated] Citrix NetScaler - AAA-LOGIN_FAILED
- [Updated] CrowdStrike FDR - CriticalFileAccessed
- [Updated] CylancePROTECT Threats
- [Updated] Fortinet Event Logs
- [Updated] Fortinet Virus Logs
- [Updated] Kaspersky Endpoint Security Catch All
- [Updated] Lacework Alert
- [Updated] Linux OS Syslog - Cron - Session Closed
- [Updated] Linux OS Syslog - Cron - Session Opened
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid Password
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure Invalid User
- [Updated] Linux OS Syslog - Process sshd - SSH Auth Failure No ID String
- [Updated] Linux OS Syslog - Process sshd - SSH Public Key Not Allowed
- [Updated] Linux OS Syslog - Process sudo - Superuser Do Command Execution
- [Updated] Linux OS Syslog - Process systemd - Systemd Session Start
- [Updated] McAfee WebGateway - CEF - User Login Failed
- [Updated] Microsoft Defender for Cloud - Security Alerts
- [Updated] Microsoft Office 365 Active Directory Authentication Events
- [Updated] Microsoft Office 365 Threat Intelligence Atp Content Events
- [Updated] OSSEC Alert
- [Updated] OpenVPN Authentication Attempt
- [Updated] OpenVPN Logon Attempt
- [Updated] Osquery Process Auditing
- [Updated] Palo Alto Traps - Custom Parser
- [Updated] RSA SecurID SinglePoint Authentication
- [Updated] Snowflake Login
- [Updated] Symantec Agent Behavior Logs
- [Updated] Symantec Agent Risk Logs
- [Updated] Symantec Agent Risk SONAR Logs
- [Updated] Symantec Agent Scan Logs
- [Updated] Sysdig Kubernetes JSON
- [Updated] Tanium IOC Event - CEF Custom Parser
- [Updated] Windows - Security - 4625
Added 'Cause' mapping and added 'null' as a skipped value​
- [Updated] Okta Authentication - auth_via_AD_agent
- [Updated] Okta Authentication - auth_via_mfa
- [Updated] Okta Authentication - auth_via_radius
- [Updated] Okta Authentication - sso
- [Updated] Okta Authentication Events
- [Updated] Okta Catch All
- [Updated] Okta Security Threat Events
Consolidated CloudTrail Mappings​
- [Deleted] CloudTrail - cloudtrail.amazonaws.com - DeleteTrail
- [Deleted] CloudTrail - cloudtrail.amazonaws.com - StartLogging
- [Deleted] CloudTrail - cloudtrail.amazonaws.com - StopLogging
- [Deleted] CloudTrail - cloudtrail.amazonaws.com - UpdateTrail
- [Deleted] CloudTrail - ec2.amazonaws.com - AttachInternetGateway
- [Deleted] CloudTrail - ec2.amazonaws.com - AuthorizeSecurityGroupIngress
- [Deleted] CloudTrail - ec2.amazonaws.com - CreateCustomerGateway
- [Deleted] CloudTrail - ec2.amazonaws.com - CreateInternetGateway
- [Deleted] CloudTrail - ec2.amazonaws.com - CreateKeyPair
- [Deleted] CloudTrail - ec2.amazonaws.com - CreateNetworkAclEntry
- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteCustomerGateway
- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteInternetGateway
- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteKeyPair
- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAcl
- [Deleted] CloudTrail - ec2.amazonaws.com - DeleteNetworkAclEntry
- [Deleted] CloudTrail - ec2.amazonaws.com - DetachInternetGateway
- [Deleted] CloudTrail - ec2.amazonaws.com - ImportKeyPair
- [Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclAssociation
- [Deleted] CloudTrail - ec2.amazonaws.com - ReplaceNetworkAclEntry
- [Deleted] CloudTrail - iam.amazonaws.com - AttachGroupPolicy
- [Deleted] CloudTrail - iam.amazonaws.com - AttachRolePolicy
- [Deleted] CloudTrail - iam.amazonaws.com - AttachUserPolicy
- [Deleted] CloudTrail - iam.amazonaws.com - CreateAccessKey
- [Deleted] CloudTrail - iam.amazonaws.com - CreatePolicy
- [Deleted] CloudTrail - iam.amazonaws.com - CreatePolicyVersion
- [Deleted] CloudTrail - iam.amazonaws.com - CreateUser
- [Deleted] CloudTrail - iam.amazonaws.com - DeletePolicy
- [Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePermissionsBoundary
- [Deleted] CloudTrail - iam.amazonaws.com - DeleteRolePolicy
- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUser
- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPermissionsBoundary
- [Deleted] CloudTrail - iam.amazonaws.com - DeleteUserPolicy
- [Deleted] CloudTrail - iam.amazonaws.com - DetachGroupPolicy
- [Deleted] CloudTrail - iam.amazonaws.com - DetachRolePolicy
- [Deleted] CloudTrail - iam.amazonaws.com - DetachUserPolicy
- [Deleted] CloudTrail - iam.amazonaws.com - PutGroupPolicy
- [Deleted] CloudTrail - iam.amazonaws.com - PutRolePolicy
- [Deleted] CloudTrail - iam.amazonaws.com - PutUserPolicy
- [Deleted] CloudTrail - iam.amazonaws.com - UpdateAssumeRolePolicy
- [Deleted] CloudTrail - kms.amazonaws.com - ScheduleKeyDeletion
- [Deleted] CloudTrail - lambda.amazonaws.com - AddPermission
- [Deleted] CloudTrail - lambda.amazonaws.com - CreateEventSourceMapping
- [Deleted] CloudTrail - lambda.amazonaws.com - CreateFunction
- [Deleted] CloudTrail - lambda.amazonaws.com - CreateFunctionUrlConfig
- [Deleted] CloudTrail - lambda.amazonaws.com - DeleteFunction
- [Deleted] CloudTrail - lambda.amazonaws.com - GetEventSourceMapping
- [Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionConfiguration
- [Deleted] CloudTrail - lambda.amazonaws.com - GetFunctionUrlConfig
- [Deleted] CloudTrail - lambda.amazonaws.com - PublishLayerVersion
- [Deleted] CloudTrail - lambda.amazonaws.com - RemovePermission
- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateEventSourceMapping
- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionCode
- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionConfiguration
- [Deleted] CloudTrail - lambda.amazonaws.com - UpdateFunctionUrlConfig
- [Deleted] CloudTrail - logs.amazonaws.com - DeleteLogGroup
- [Deleted] CloudTrail - logs.amazonaws.com - DeleteLogStream
- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketCors
- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketLifecycle
- [Deleted] CloudTrail - s3.amazonaws.com - DeleteBucketPolicy
- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketAcl
- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketCors
- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketLifecycle
- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketPolicy
- [Deleted] CloudTrail - s3.amazonaws.com - PutBucketReplication
- [Deleted] CloudTrail - secretsmanager.amazonaws.com - RotationStarted
- [Deleted] CloudTrail - signin.amazonaws.com - CheckMfa
- [Deleted] CloudTrail - signin.amazonaws.com - ExitRole
- [Deleted] CloudTrail - signin.amazonaws.com - RenewRole
- [Deleted] CloudTrail - signin.amazonaws.com - SwitchRole
- [Deleted] CloudTrail - sso.amazonaws.com - ListProfilesForApplication
- [Updated] CloudTrail - cloudtrail.amazonaws.com - Trail Change|Logging
- [Updated] CloudTrail - ec2.amazonaws.com - All Network Events
- [Updated] CloudTrail - iam.amazonaws.com - Policy Change
- [Updated] CloudTrail - kms.amazonaws.com - DisableKey|ScheduleKeyDeletion
- [Updated] CloudTrail - lambda.amazonaws.com - Audit Change
- [Updated] CloudTrail - lambda.amazonaws.com - DeleteEventSourceMapping|DeleteFunction
- [Updated] CloudTrail - lambda.amazonaws.com - GetPolicy|GetLayerVersionPolicy
- [Updated] CloudTrail - lambda.amazonaws.com - Resource Access
- [Updated] CloudTrail - logs.amazonaws.com - DeleteDestination|DeleteLogGroup|DeleteLogStream
- [Updated] CloudTrail - s3.amazonaws.com - Bucket Change
- [Updated] CloudTrail - secretsmanager.amazonaws.com - RotationSucceeded|RotationStarted
- [Updated] CloudTrail - signin.amazonaws.com - All AwsConsoleSignIn events
- [Updated] CloudTrail - sso.amazonaws.com - Federate|ListProfilesForApplication
Parsers​
- [New] /Parsers/System/Github/GitHub Enterprise Audit
- [New] /Parsers/System/Honeywell/Honeywell Pro-Watch
- [New] /Parsers/System/Zendesk/Zendesk
- [Updated] /Parsers/System/AWS/AWS ALB
- Extends AWS ALB parser to handle additional
conn_trace_id
field
- Extends AWS ALB parser to handle additional
- [Updated] /Parsers/System/Citrix/Citrix Cloud C2C
- Modifies time handling and drops logs without security value
- [Updated] /Parsers/System/Dell/Dell SonicWall
- Minor regex fix for port and protocol handling
- [Updated] /Parsers/System/Palo Alto/PAN Firewall CSV
- Additional TRAFFIC log format handling