October 31, 2024 - Content Release
This content release includes:
- New Detection rules for Github Enterprise Audit.
- New Detection rules for Okta identity and access management.
- Updated parser and mappers for Cisco Meraki firewall, and Cisco Meraki Flows:
- Updated the pattern lookup for: action, normalized action, and success.
- Updated log mappers for Github Enterprise Audit:
- Updated the name of the product and the internal ID that corresponds to it.
- Updated parser for Github Enterprise Audit time handling.
- New parsers and mappers for Apache HTTP server and Kandji EDR.
- Other changes enumerated below.
Please be advised that rule FIRST-S00031 (First Seen IP Address Associated with User for a Successful Azure AD Sign In Event) is not performing as intended and will be decommissioned in a forthcoming release. Please use FIRST-S00047 (First Seen ASN Associated with User for a Successful Azure AD Sign In Event) which provides an accurate and less sensitive detection point.
Rules
- [New] MATCH-S00922 AWS Bedrock Agent Created.
- This rule detects when an AWS Bedrock Agent has been created in the environment. Bedrock Agents can be configured with various parameters to build AI applications.
- [New] MATCH-S00924 AWS Bedrock Guardrail Deleted.
- AWS Bedrock Guardrails provide users with the ability to configure options like filtering out harmful content or defining denied topics for models. Guardrails also allow the blocking of sensitive information such as PII. Ensure that this deletion was performed by an authorized user during an expected change.
- [New] MATCH-S00923 AWS Bedrock Model Invocation Denied for User.
- A user has attempted to invoke a model via AWS Bedrock for which access was denied due to a permission issue. This event can be a normal occurrence for a user who has not been provisioned the proper IAM resources for AWS Bedrock.
- [New] MATCH-S00921 AWS Bedrock Model Invocation Logging Configuration Change Observed.
- An AWS Bedrock Model invocation logging configuration change was observed. Ensure that this activity is expected and authorized.
- [New] OUTLIER-S00024 AWS DynamoDB Outlier in GetItem Events from User.
- An outlier in GetItem events to a DynamoDB resource within an hour time period has been detected. Ensure that the user performing these actions has business justification for modifying DynamoDB tables and instances.
- [New] OUTLIER-S00025 AWS S3 Outlier in PutObject Denied Events
- This rule utilizes an hourly baseline to detect an outlier in the number of denied PutObject access events to an S3 bucket. AWS Data events are necessary for this signal to function.
- [New] MATCH-S00390 Attempted Credential Dump From Registry Via Reg.Exe
- Monitors for use of reg.exe with parameters indicating the attempted export of hashed credentials. Audit Object Access (success and failure) must be enabled for this rule to function.
- [New] MATCH-S00896 Azure Authentication Policy Change
- Various authentication related policy configurations exist within Azure. These are tenant-wide policy changes that affect aspects such as enabling of number matching, changing of which authentication methods users are allowed to use, or the exclusion of certain groups from various authentication methods.
- [New] MATCH-S00525 Credential Dumping Via Copy Command From Shadow Copy
- This rule detects credential dumping using copy command from a shadow copy.
- [New] FIRST-S00084 First Seen AWS Bedrock API Call from User
- This rule looks for a first seen AWS Bedrock API call from a user since the baseline period. Ensure the user in question is authorized to utilize AWS Bedrock services.
- [New] FIRST-S00062 First Seen IP Address Connecting to Active Directory Certificate Services Process
- This alert looks at Windows Filtering Platform Events and flags when a first seen IP address connects to the certificate services process. This can be indictive of enumeration of certificate templates which can potentially lead to forged certificates and privilege escalation avenues.
- [New] FIRST-S00086 First Seen IP Address Performing Trufflehog AWS Credential Verification
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call. This signal looks for the default Trufflehog User Agent within CloudTrail telemetry, combined with the GetCallerIdentity API call occurring from an IP address not seen since the baseline period.
- [New] FIRST-S00081 First Seen Model ID in AWS Bedrock Put Entitlement by User
- A first seen model id was observed in AWS Bedrock. The PutFoundationModelEntitlement API call grants permission to put entitlement to access a foundational model.
- [New] FIRST-S00088 First Seen NTLM Authentication to Host (User)
- A user has performed NTLM authentication to a host on the network for the first time since the baseline period has been established.
- [New] FIRST-S00076 First Seen Net Command Use on Host
- [New] FIRST-S00085 First Seen Role Creating AWS Bedrock Agent
- An AWS Bedrock Agent has been created in the environment by a Role seen for the first time since the baseline period. If this role is not expected in the environment and was not originally assigned IAM rights to Bedrock, this activity could be indicative of privilege escalation.
- [New] FIRST-S00061 First Seen USB device in use on Windows host
- This signal looks for a new removable USB device name being used by a host not seen since the baseline period. This activity by itself is not necessarily malicious, but can be indicative of potential lateral movement or initial access tactics.
- [New] FIRST-S00087 First Seen User Creating or Modifying EC2 Launch Template
- AWS EC2 launch templates allows cloud administrators to specify instance configuration information in a templated format. Granting permissions to modify or create launch templates within EC2 in certain circumstances grants the user PassRole permissions, potentially opening privilege escalation avenues via IAM.
- [New] FIRST-S00082 First Seen User Enumerating AWS Bedrock Models
- A first seen user was observed enumerating AWS Bedrock models via the ListFoundationModels API call. Ensure that the user performing the enumeration is authorized to work within AWS Bedrock.
- [New] FIRST-S00059 First Seen esentutl command From User
- Threat actors may use the esentutl utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
- [New] FIRST-S00058 First Seen vssadmin command From User
- Threat actors may use the vssadmin utility to create volume shadow copies on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
- [New] FIRST-S00060 First Seen wbadmin command From User
- Threat actors may use the wbadmin utility to create volume shadow copies and/or backups on a Windows operating system and retrieve the Active Directory database (NTDS.dit) file in order to extract credential material.
- [New] MATCH-S00429 LSASS Memory Dumping
- Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials.
- [New] MATCH-S00161 Malicious PowerShell Get Commands
- This rule detects commandlets from common PowerShell exploitation frameworks.
- [New] MATCH-S00895 NinjaCopy Usage Detected
- NinjaCopy is a legacy PowerShell tool that can copy files from an NTFS volume in a manner that bypasses SACL auditing as well as DACL controls such as only allowing SYSTEM to open a file.
- [New] MATCH-S00906 Okta - Application Created
- This rule looks for an Okta application being created. Ensure that this activity is expected and authorized. Only Okta administrators should be creating applications.
- [New] MATCH-S00903 Okta - Device Added To User
- An Okta device was added to a user. This activity may occur as part of normal user operations such as lost device.
- [New] MATCH-S00904 Okta - Device Removed From User
- An Okta device was removed from a user. It is recommended that the user performing the action be cross-referenced to a list of approved Okta administrators.
- [New] CHAIN-S00020 Okta - MFA Denied Followed by Successful Logon
- This signal looks for a single user explicitly denying at least two (2) multi factor authentication prompts, followed by a successful Okta login via multi factor authentication within a twenty-five (25) minute window. This logic is designed to catch successful MFA fatigue type attacks.
- [New] MATCH-S00908 Okta - MFA Request Denied by User
- This signal will trigger when a user denies an MFA request within the Okta authenticator application.
- [New] MATCH-S00907 Okta - Policy Rule Added
- An Okta policy rule has been added through the Okta admin application.
- [New] MATCH-S00905 Okta - Programmatic Access to Users API Endpoint
- This signal looks for programmatic (PowerShell, Golang, Python or Curl) access to the Okta “users” API endpoint. This endpoint provides functionality to perform various actions on Okta user accounts such as password resets and account unlocks.
- [New] AGGREGATION-S00008 Okta - Session Anomaly (Multiple ASNs)
- This rule detects when a user has utilized multiple distinct ASNs when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly.
- [New] AGGREGATION-S00009 Okta - Session Anomaly (Multiple User Agents)
- This rule detects when a user has utilized multiple distinct User Agents when performing authentication through Okta. This activity could potentially indicate credential theft or a general session anomaly.
- [New] OUTLIER-S00019 Outlier in AWS Bedrock API Calls from User
- An outlier in the number of API calls made to AWS Bedrock from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts.
- [New] OUTLIER-S00022 Outlier in AWS Bedrock Foundation Model Enumeration Calls from User
- An outlier in the number of Foundation Model Enumeration API Calls from a user within an hour time period was observed. These events may be part of normal Bedrock operations or may be indicative of enumeration/discovery attempts.
- [New] MATCH-S00900 Overly-Permissive Active Directory Certificate Template Loaded
- This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows domain users full control over the certificate
- [New] CHAIN-S00019 Potential Active Directory Certificate Services Enrollment Agent Misconfiguration
- This alert looks for two events in a particular order, the first event involves a certificate template being loaded with a certificate request agent application policy.
- [New] MATCH-S00898 Potentially Misconfigured Active Directory Certificate Template Loaded
- This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows all domain users the ability to enroll the template.
- [New] MATCH-S00901 Potentially Vulnerable Active Directory Certificate Services Template Loaded
- This alert looks at Active Directory Certificate Services Auditing Events to look for a certificate template issued that allows the enrolee to supply a subject and allows all domain users to enroll.
- [New] MATCH-S00899 Suspicious Active Directory Certificate Modification
- This alert looks for an Active Directory certificate being modified with the "Any Purpose" OID.
- [New] MATCH-S00902 Suspicious Active Directory Certificate Modification - Enrollment Agent
- This alert looks for an Active Directory certificate being modified with an Enrollment Agent value that allows an Active Directory principal to enroll a certificate on behalf of another user.
- [New] MATCH-S00917 Suspicious PowerShell Application Window Discovery COM method
- This PowerShell COM method allows for discovery of running application windows, along with the process path and window location coordinates.
- [New] MATCH-S00920 Suspicious PowerShell Window Discovery Cmdlet execution
- Detects the use of PowerShell for Applicaiton Window Discovery to identify open application windows to gather information on running programs, collect potential data, and discover security tooling.
- [New] MATCH-S00918 Suspicious cat of PAM common-password policy
- The Pluggable Authentication Module (PAM) in Linux allows system administrators to choose how applications authenticate users.
- [New] MATCH-S00925 Trufflehog AWS Credential Verification Detected
- Trufflehog is a tool that can be utilized to find and verify secrets. When Trufflehog locates AWS credentials, it attempts to validate them using the GetCallerIdentity API call.
- [New] MATCH-S00583 WCE wceaux.dll Access
- Obvserves for access of wceaux.dll, which may be indicative of credential access.
- [New] MATCH-S00159 Windows - Permissions Group Discovery
- Microsoft’s Net.exe can be used for multiple Discovery tactics, including Password Policy, Permissions, Account and Domain Trust Discovery. This detection identifies the use net.exe related commands on a system related to these discovery tactics.
- [New] THRESHOLD-S00067 ZeroLogon Privilege Escalation Behavior
- An attack against CVE-2020-1472 may create thousands of NetrServerReqChallenge and NetrServerAuthenticate3 requests in a short amount of time.
- [New] MATCH-S00919 chage command use on host
- The chage command on Linux allows for the changing of user password expiry information. The chage command is restricted to the root user; however, non-root/unprivileged users may use the -l flag to determine when the user’s password or account is due to expire.
Log Mappers
- [New] Apache HTTP Server - Access log
- [New] Kandji EDR - catch all
- [Updated] Cisco Meraki Firewall - Custom Parser
- [Updated] Cisco Meraki Flows - Custom Parser
- [Updated] GitHub Enterprise Audit - Access Events
- [Updated] GitHub Enterprise Audit - Authentication Events
- [Updated] GitHub Enterprise Audit - Create Events
- [Updated] GitHub Enterprise Audit - Modify Events
- [Updated] GitHub Enterprise Audit - Remove Events
- [Updated] GitHub Enterprise Audit - Restore Events
- [Updated] GitHub Enterprise Audit - Transfer Events
- [Updated] GitHub Enterprise Audit Catch All
Parsers
- [New] /Parsers/System/Apache/Apache HTTP Server
- [New] /Parsers/System/Kandji/Kandji EDR
- [Updated] /Parsers/System/Cisco/Cisco Meraki
- Corrected parser to address incorrect mapping leading to alert errors.
- [Updated] /Parsers/System/Github/GitHub Enterprise Audit
- Parser modification to the MAPPER:product from Github Enterpries to Github Enterprise Audit
- [Updated] /Parsers/System/Kemp/Kemp LoadMaster Syslog
- Corrected parser transform for the log-entry format of the Process_Syslog_Header
- [Updated] /Parsers/System/Netskope/Netskope Security Cloud JSON
- Corrected the JSON parser for MAPPER:event_id to facilitiate proper mapping processing