Skip to content

Commit

Permalink
Update default timeouts (#1294)
Browse files Browse the repository at this point in the history
* bump some default timeouts

* more tweaking

* more bumps

---------

Co-authored-by: Nicholas Hakmiller <[email protected]>
  • Loading branch information
nhakmiller and Nicholas Hakmiller authored Jul 22, 2024
1 parent 0aee35c commit 8ddde32
Show file tree
Hide file tree
Showing 10 changed files with 16 additions and 16 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Detection:
LookbackWindowMinutes: 90
Schedule:
RateMinutes: 60
TimeoutMinutes: 1
TimeoutMinutes: 5
Tests:
- Name: Instance Stopped, Followed By Script Change
ExpectedResult: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Detection:
- On: requestParameters.roleArn
Schedule:
RateMinutes: 60
TimeoutMinutes: 2
TimeoutMinutes: 15
LookbackWindowMinutes: 1440
Tests:
- Name: Role Assumed By Service, Followed By Role Assumed By User
Expand Down Expand Up @@ -61,4 +61,4 @@ Tests:
- ID: Role Assumed by User
Matches:
requestParameters.roleArn:
FAKE_ROLE_ARN: [0]
FAKE_ROLE_ARN: [0]
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Detection:
- On: p_alert_context.ip_accessKeyId
Schedule:
RateMinutes: 15
TimeoutMinutes: 2
TimeoutMinutes: 5
LookbackWindowMinutes: 60
Tests:
- Name: Access Key Created and Used from Same IP
Expand Down Expand Up @@ -69,4 +69,4 @@ Tests:
- ID: User Accessed
Matches:
p_alert_context.ip_accessKeyId:
1.1.1.1-FAKE_ACCESS_KEY_ID: [30]
1.1.1.1-FAKE_ACCESS_KEY_ID: [30]
2 changes: 1 addition & 1 deletion correlation_rules/aws_user_takeover_via_password_reset.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Detection:
- On: sourceIPAddress
Schedule:
RateMinutes: 15
TimeoutMinutes: 2
TimeoutMinutes: 5
LookbackWindowMinutes: 60
Tests:
- Name: Password Reset, Then Login From Same IP
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Detection:
LookbackWindowMinutes: 90
Schedule:
RateMinutes: 60
TimeoutMinutes: 1
TimeoutMinutes: 5
Tests:
- Name: GCP Service Run, Followed By IAM Policy Change From Same IP
ExpectedResult: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Detection:
LookbackWindowMinutes: 15
Schedule:
RateMinutes: 10
TimeoutMinutes: 1
TimeoutMinutes: 5
Tests:
- Name: Security Change on Repo, Followed By Same Repo Archived
ExpectedResult: false
Expand Down Expand Up @@ -56,4 +56,4 @@ Tests:
Matches:
p_alert_context.repo:
my-org/example-repo:
- "2024-06-01T10:00:00Z"
- "2024-06-01T10:00:00Z"
4 changes: 2 additions & 2 deletions correlation_rules/okta_login_without_push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Detection:
To: new.email
Schedule:
RateMinutes: 5
TimeoutMinutes: 2
TimeoutMinutes: 3
LookbackWindowMinutes: 30
Tests:
- Name: Okta Login, Followed By Push Authorized Login
Expand Down Expand Up @@ -62,4 +62,4 @@ Tests:
Matches:
new.email:
[email protected]:
- 3
- 3
4 changes: 2 additions & 2 deletions correlation_rules/potential_compromised_okta_credentials.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ Detection:
To: new.employee.email
Schedule:
RateMinutes: 5
TimeoutMinutes: 1
TimeoutMinutes: 3
LookbackWindowMinutes: 30
Tests:
- Name: Login Without Marker, Followed By Phishing Detection
Expand Down Expand Up @@ -61,4 +61,4 @@ Tests:
Matches:
actor.alternateId:
[email protected]:
- 0
- 0
4 changes: 2 additions & 2 deletions correlation_rules/secret_exposed_and_not_quarantined.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Detection:
To: SecretNotQuarantined
Schedule:
RateMinutes: 10
TimeoutMinutes: 2
TimeoutMinutes: 3
LookbackWindowMinutes: 30
Tests:
- Name: Secret Found and Quarantied
Expand All @@ -43,4 +43,4 @@ Tests:
- ID: SecretFound
Matches:
foo:
bar: [0]
bar: [0]
2 changes: 1 addition & 1 deletion correlation_rules/snowflake_data_exfiltration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ Detection:
- On: stage
Schedule:
RateMinutes: 720
TimeoutMinutes: 2
TimeoutMinutes: 15
LookbackWindowMinutes: 1440
Tests:
- Name: Data Exfiltration
Expand Down

0 comments on commit 8ddde32

Please sign in to comment.