From 23c370565331494ddd832b43698f22d361a7fb21 Mon Sep 17 00:00:00 2001
From: akozlovets098 <an.kozlovets@gmail.com>
Date: Mon, 11 Dec 2023 15:33:59 +0200
Subject: [PATCH] Add references to rules (indicator_creation_rules)

---
 rules/indicator_creation_rules/new_aws_account_logging.yml  | 1 +
 rules/indicator_creation_rules/new_user_account_logging.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/rules/indicator_creation_rules/new_aws_account_logging.yml b/rules/indicator_creation_rules/new_aws_account_logging.yml
index cac085a9c..e00618000 100644
--- a/rules/indicator_creation_rules/new_aws_account_logging.yml
+++ b/rules/indicator_creation_rules/new_aws_account_logging.yml
@@ -15,6 +15,7 @@ Reports:
     - TA0003:T1136
 Description: A new AWS account was created
 Runbook: A new AWS account was created, ensure it was created through standard practice and is for a valid purpose.
+Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#:~:text=AWS%20Organizations%20information%20in%20CloudTrail
 SummaryAttributes:
   - p_any_aws_account_ids
 Tests:
diff --git a/rules/indicator_creation_rules/new_user_account_logging.yml b/rules/indicator_creation_rules/new_user_account_logging.yml
index 4c0ffef80..bbe24533b 100644
--- a/rules/indicator_creation_rules/new_user_account_logging.yml
+++ b/rules/indicator_creation_rules/new_user_account_logging.yml
@@ -24,6 +24,7 @@ Reports:
     - TA0003:T1136
 Description: A new account was created
 Runbook: A new user account was created, ensure it was created through standard practice and is for a valid purpose.
+Reference: https://attack.mitre.org/techniques/T1136/001/
 SummaryAttributes:
   - p_any_usernames
 Tests: