From 2495608dae81d7816eb7d87996cd9e5c7f98ddc0 Mon Sep 17 00:00:00 2001 From: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Date: Fri, 6 Dec 2024 09:55:10 -0600 Subject: [PATCH 1/2] THREAT-420: Stratus AWS Logging Detections (#1437) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --- packs/aws.yml | 4 + ...aws_cloudtrail_event_selectors_disabled.py | 35 ++ ...ws_cloudtrail_event_selectors_disabled.yml | 231 ++++++++++ .../aws_cloudtrail_short_lifecycle.py | 87 ++++ .../aws_cloudtrail_short_lifecycle.yml | 426 ++++++++++++++++++ .../aws_dns_logs_deleted.py | 18 + .../aws_dns_logs_deleted.yml | 90 ++++ .../aws_vpc_flow_logs_deleted.py | 15 + .../aws_vpc_flow_logs_deleted.yml | 86 ++++ 9 files changed, 992 insertions(+) create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.py create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.yml create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.py create mode 100644 rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.yml create mode 100644 rules/aws_cloudtrail_rules/aws_dns_logs_deleted.py create mode 100644 rules/aws_cloudtrail_rules/aws_dns_logs_deleted.yml create mode 100644 rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.py create mode 100644 rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.yml diff --git a/packs/aws.yml b/packs/aws.yml index 820a4a43f..8522ddb4f 100644 --- a/packs/aws.yml +++ b/packs/aws.yml @@ -90,8 +90,11 @@ PackDefinition: - AWS.CloudFormation.Stack.UsesIAMServiceRole - AWS.CloudTrail.CodebuildProjectMadePublic - AWS.CloudTrail.Created + - AWS.CloudTrail.DNSLogsDeleted - AWS.CloudTrail.Enabled + - AWS.CloudTrail.EventSelectorsDisabled - AWS.CloudTrail.SecurityConfigurationChange + - AWS.CloudTrail.ShortLifecycle - AWS.CloudTrail.Stopped - AWS.CloudTrail.UnauthorizedAPICall - AWS.CloudWatchLogs.DataRetention1Year @@ -131,6 +134,7 @@ PackDefinition: - AWS.S3.ServerAccess.Error - AWS.SecurityHub.Finding.Evasion - AWS.VPC.FlowLogs + - AWS.VPCFlow.LogsDeleted - AWS.WAF.Disassociation - AWS.WAF.HasXSSPredicate - AWS.WAF.LoggingConfigured diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.py new file mode 100644 index 000000000..d8db329fd --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.py @@ -0,0 +1,35 @@ +from panther_aws_helpers import aws_cloudtrail_success, aws_rule_context, lookup_aws_account_name + +# API calls that are indicative of CloudTrail changes +CLOUDTRAIL_EDIT_SELECTORS = {"PutEventSelectors"} + + +def rule(event): + if not (aws_cloudtrail_success(event) and event.get("eventName") in CLOUDTRAIL_EDIT_SELECTORS): + return False + + # Check if management events are included for each selector. + # deep_walk only returns a list if there's more than 1 entry in the nested array, so we must + # enforce it to be a list. + includes = event.deep_walk("requestParameters", "eventSelectors", "includeManagementEvents") + if not isinstance(includes, list): + includes = [includes] + + # Return False all the management events are included, else return True and raise alert + return not all(includes) + + +def dedup(event): + # Merge on the CloudTrail ARN + return event.deep_get("requestParameters", "trailName", default="") + + +def title(event): + return ( + f"Management events have been exluded from CloudTrail [{dedup(event)}] in account " + f"[{lookup_aws_account_name(event.get('recipientAccountId'))}]" + ) + + +def alert_context(event): + return aws_rule_context(event) diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.yml new file mode 100644 index 000000000..fa3a1d4d1 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_event_selectors_disabled.yml @@ -0,0 +1,231 @@ +AnalysisType: rule +Filename: aws_cloudtrail_event_selectors_disabled.py +RuleID: "AWS.CloudTrail.EventSelectorsDisabled" +DisplayName: "CloudTrail Event Delectors Disabled" +Enabled: true +LogTypes: + - AWS.CloudTrail +Tags: + - AWS + - Security Control + - Defense Evasion:Impair Defenses +Reports: + CIS: + - 3.5 + MITRE ATT&CK: + - TA0005:T1562 +Severity: Medium +Description: > + A CloudTrail Trail was modified to exclude management events for 1 or more resource types. +Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-cloudtrail-modified +Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html +SummaryAttributes: + - eventName + - userAgent + - sourceIpAddress + - recipientAccountId + - p_any_aws_arns +Tests: + - Name: Event Selector Disabled + ExpectedResult: true + Log: { + "p_event_time": "2024-11-25 17:51:21.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-25 17:55:54.253083422", + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "4ca1cb25-7633-496b-8f92-6de876228c3f", + "eventName": "PutEventSelectors", + "eventSource": "cloudtrail.amazonaws.com", + "eventTime": "2024-11-25 17:51:21.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.11", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "a8c6184a-89b1-4fc1-a6fa-324748d48b64", + "requestParameters": { + "eventSelectors": [ + { + "dataResources": [ + { + "type": "AWS::S3::Object", + "values": [] + }, + { + "type": "AWS::Lambda::Function", + "values": [] + } + ], + "excludeManagementEventSources": [], + "includeManagementEvents": false, + "readWriteType": "ReadOnly" + } + ], + "trailName": "sample-cloudtrail-name" + }, + "responseElements": { + "eventSelectors": [ + { + "dataResources": [ + { + "type": "AWS::S3::Object", + "values": [] + }, + { + "type": "AWS::Lambda::Function", + "values": [] + } + ], + "excludeManagementEventSources": [], + "includeManagementEvents": false, + "readWriteType": "ReadOnly" + } + ], + "trailARN": "arn:aws:cloudtrail:us-west-2:111122223333:trail/sample-cloudtrail-name" + }, + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "sample-user-agent", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY_ID", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "EXAMPLEPRINCIPLEID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-25T16:53:42Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "EXAMPLEPRINCIPLEID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } + - Name: Event Selector Enabled + ExpectedResult: false + Log: { + "p_event_time": "2024-11-25 17:51:21.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-25 17:55:54.253083422", + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "4ca1cb25-7633-496b-8f92-6de876228c3f", + "eventName": "PutEventSelectors", + "eventSource": "cloudtrail.amazonaws.com", + "eventTime": "2024-11-25 17:51:21.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.11", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "a8c6184a-89b1-4fc1-a6fa-324748d48b64", + "requestParameters": { + "eventSelectors": [ + { + "dataResources": [], + "excludeManagementEventSources": [], + "includeManagementEvents": true, + "readWriteType": "All" + } + ], + "trailName": "sample-cloudtrail-name" + }, + "responseElements": { + "eventSelectors": [ + { + "dataResources": [], + "excludeManagementEventSources": [], + "includeManagementEvents": true, + "readWriteType": "All" + } + ], + "trailARN": "arn:aws:cloudtrail:us-west-2:111122223333:trail/sample-cloudtrail-name" + }, + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "sample-user-agent", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY_ID", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "EXAMPLEPRINCIPLEID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-25T16:53:42Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "EXAMPLEPRINCIPLEID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } + - Name: Uninteresting Event Type + ExpectedResult: false + Log: { + "p_event_time": "2024-11-25 17:50:24.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-25 17:55:54.172592534", + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "63fb143a-c494-4510-8e9e-34172e4872c3", + "eventName": "GetEventSelectors", + "eventSource": "cloudtrail.amazonaws.com", + "eventTime": "2024-11-25 17:50:24.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.11", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "111122223333", + "requestID": "cad6aff4-1558-49c5-ae4a-c512058751f1", + "requestParameters": { + "trailName": "sample-cloudtrail-name" + }, + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "cloudtrail.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "APN/1.0 HashiCorp/1.0 Terraform/1.1.2 (+https://www.terraform.io) terraform-provider-aws/3.76.1 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.157 (go1.19.3; darwin; arm64) stratus-red-team_83c9a458-ffab-4d43-8b02-9691311e8c0a HashiCorp-terraform-exec/0.17.3", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY_ID", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "EXAMPLEPRINCIPLEID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-25T16:53:42Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "EXAMPLEPRINCIPLEID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } \ No newline at end of file diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.py b/rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.py new file mode 100644 index 000000000..92dd612f2 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.py @@ -0,0 +1,87 @@ +from panther_aws_helpers import aws_cloudtrail_success, aws_rule_context, lookup_aws_account_name +from panther_base_helpers import deep_get + +# Use this to record the names of your S3 buckets that have cloudtrail logs +# If a bucket name isn't mentioned here, we still make a best guess as to whether or not it +# contains CloudTrail data, but the confidence rating will be lower, and so will the severity +CLOUDTRAIL_BUCKETS = ("example_cloudtrail_bucket_name",) + +# This is the minimum length fo time CloudTrail logs should remain in an S3 bucket. +# We set this to 7 initially, since this is the recommended amount of time logs ingested by +# Panther should remain available. You can modify this if you wish. +CLOUDTRAIL_MINIMUM_STORAGE_PERIOD_DAYS = 7 + + +def rule(event): + # Only alert for successful PutBucketLifecycle events + if not (aws_cloudtrail_success(event) and event.get("eventName") == "PutBucketLifecycle"): + return False + + # Exit out if the bucket doesn't have cloudtrail logs + # We check this be either comparing the bucket name to a list of buckets the user knows has + # CT logs, or by heuristically looking at the name and guessing whether it likely has CT logs + bucket_name = event.deep_get("requestParameters", "bucketName") + if not bucket_name or ( + not is_cloudtrail_bucket(bucket_name) and not guess_is_cloudtrail_bucket(bucket_name) + ): + return False + + # Don't alert if the Rule status is disabled + lifecycle = event.deep_get("requestParameters", "LifecycleConfiguration", "Rule") + if lifecycle.get("Status") != "Enabled": + return False + + # Alert if the lifecycle period is short + duration = deep_get(lifecycle, "Expiration", "Days", default=0) + return duration < CLOUDTRAIL_MINIMUM_STORAGE_PERIOD_DAYS + + +def title(event): + bucket_name = event.deep_get("requestParameters", "bucketName", default="") + lifecycle = event.deep_get("requestParameters", "LifecycleConfiguration", "Rule") + duration = deep_get(lifecycle, "Expiration", "Days", default=0) + rule_id = lifecycle.get("ID", "") + account = event.deep_get("userIdentity", "accountId", default="") + return ( + f"S3 Bucket {bucket_name} in account {lookup_aws_account_name(account)} " + f"has new rule {rule_id} set to delete CloudTrail logs after " + f"{duration} day{'s' if duration != 1 else ''}" + ) + + +def severity(event): + # Return lower severity if we aren't positive this bucket has cloudtrail logs. + bucket_name = event.deep_get("requestParameters", "bucketName") + if not is_cloudtrail_bucket(bucket_name): + return "LOW" + return "DEFAULT" + + +def alert_context(event): + context = aws_rule_context(event) + + # Add name of S3 bucket, Rule ID, and expiration duration to context + bucket_name = event.deep_get("requestParameters", "bucketName", default="") + lifecycle = event.deep_get("requestParameters", "LifecycleConfiguration", "Rule") + duration = deep_get(lifecycle, "Expiration", "Days", default=0) + rule_id = lifecycle.get("ID", "") + context.update( + { + "bucketName": bucket_name, + "lifecycleRuleID": rule_id, + "lifecycleRuleDurationDays": duration, + } + ) + + return context + + +def is_cloudtrail_bucket(bucket_name: str) -> bool: + """Returns True if the bucket is known to contain CloudTrail logs.""" + return bucket_name in CLOUDTRAIL_BUCKETS + + +def guess_is_cloudtrail_bucket(bucket_name: str) -> bool: + """Takes a best guess at whether a bucket contains CloudTrail logs or not.""" + # Maybe one day, this check will get more complex + return "trail" in bucket_name.lower() diff --git a/rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.yml b/rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.yml new file mode 100644 index 000000000..9253f9ab1 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_cloudtrail_short_lifecycle.yml @@ -0,0 +1,426 @@ +AnalysisType: rule +Filename: aws_cloudtrail_short_lifecycle.py +RuleID: "AWS.CloudTrail.ShortLifecycle" +DisplayName: "AWS CloudTrail Retention Lifecycle Too Short" +Enabled: true +LogTypes: + - AWS.CloudTrail +Severity: Medium +Reports: + MITRE ATT&CK: + - TA0005:T1562.008 # Defense Evasion: Disable or Modify Cloud Logs +Description: "Detects when an S3 bucket containing CloudTrail logs has been modified to delete data after a short period of time." +Reference: + https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-lifecycle-rule/ +Runbook: Verify whether the bucket in question contains CloudTrail data, and if so, why the lifecycle was changed. Potentally add a filter for this bucket to prevent future false positives. +Tags: + - AWS + - Cloudtrail + - Defense Evasion + - Impair Defenses + - Disable or Modify Cloud Logs + - Defense Evasion:Impair Defenses + - Security Control +Tests: + - Name: 1-Day Lifecycle Rule on Known CT Bucket + ExpectedResult: true + Mocks: + - objectName: is_cloudtrail_bucket + returnValue: "true" + Log: + { + "p_event_time": "2024-11-25 22:00:58.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-25 22:05:54.357893092", + "additionalEventData": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 249, + "bytesTransferredOut": 0, + "x-amz-id-2": "vf6Ehji6uE8ET3EJvRpIQva7eul9KSAUWVlf87sIKBmLQ0HgdGbswZiHYlVvSr1FdP5DiZze4DRZRAFppKpD4A==" + }, + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "e1ea136d-f372-4cd5-be5f-f317fc80214a", + "eventName": "PutBucketLifecycle", + "eventSource": "s3.amazonaws.com", + "eventTime": "2024-11-25 22:00:58.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "4XRNRGRFH6RES629", + "requestParameters": { + "Host": "sample-cloudtrail-bucket-name.s3.us-west-2.amazonaws.com", + "LifecycleConfiguration": { + "Rule": { + "Expiration": { + "Days": 1 + }, + "Filter": { + "Prefix": "*" + }, + "ID": "nuke-cloudtrail-logs-after-1-day", + "Status": "Enabled" + }, + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" + }, + "bucketName": "sample-cloudtrail-bucket-name", + "lifecycle": "" + }, + "resources": [ + { + "accountId": "111122223333", + "arn": "arn:aws:s3:::sample-cloudtrail-bucket-name", + "type": "AWS::S3::Bucket" + } + ], + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "sample-cloudtrail-bucket-name.s3.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "[sample-user-agent]", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-25T16:53:42Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } + - Name: 1-Day Lifecycle Rule on Assumed CT Bucket + ExpectedResult: true + Mocks: + - objectName: is_cloudtrail_bucket + returnValue: "" # Return empty string, which Python interprets as 'False' + Log: + { + "p_event_time": "2024-11-25 22:00:58.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-25 22:05:54.357893092", + "additionalEventData": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 249, + "bytesTransferredOut": 0, + "x-amz-id-2": "vf6Ehji6uE8ET3EJvRpIQva7eul9KSAUWVlf87sIKBmLQ0HgdGbswZiHYlVvSr1FdP5DiZze4DRZRAFppKpD4A==" + }, + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "e1ea136d-f372-4cd5-be5f-f317fc80214a", + "eventName": "PutBucketLifecycle", + "eventSource": "s3.amazonaws.com", + "eventTime": "2024-11-25 22:00:58.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "4XRNRGRFH6RES629", + "requestParameters": { + "Host": "sample-cloudtrail-bucket-name.s3.us-west-2.amazonaws.com", + "LifecycleConfiguration": { + "Rule": { + "Expiration": { + "Days": 1 + }, + "Filter": { + "Prefix": "*" + }, + "ID": "nuke-cloudtrail-logs-after-1-day", + "Status": "Enabled" + }, + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" + }, + "bucketName": "sample-cloudtrail-bucket-name", + "lifecycle": "" + }, + "resources": [ + { + "accountId": "111122223333", + "arn": "arn:aws:s3:::sample-cloudtrail-bucket-name", + "type": "AWS::S3::Bucket" + } + ], + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "sample-cloudtrail-bucket-name.s3.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "[sample-user-agent]", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-25T16:53:42Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } + - Name: Disabled 1-Day Lifecycle Rule on Known CT Bucket + ExpectedResult: false + Mocks: + - objectName: is_cloudtrail_bucket + returnValue: "true" + Log: + { + "p_event_time": "2024-11-25 22:00:58.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-25 22:05:54.357893092", + "additionalEventData": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 249, + "bytesTransferredOut": 0, + "x-amz-id-2": "vf6Ehji6uE8ET3EJvRpIQva7eul9KSAUWVlf87sIKBmLQ0HgdGbswZiHYlVvSr1FdP5DiZze4DRZRAFppKpD4A==" + }, + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "e1ea136d-f372-4cd5-be5f-f317fc80214a", + "eventName": "PutBucketLifecycle", + "eventSource": "s3.amazonaws.com", + "eventTime": "2024-11-25 22:00:58.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "4XRNRGRFH6RES629", + "requestParameters": { + "Host": "sample-cloudtrail-bucket-name.s3.us-west-2.amazonaws.com", + "LifecycleConfiguration": { + "Rule": { + "Expiration": { + "Days": 1 + }, + "Filter": { + "Prefix": "*" + }, + "ID": "nuke-cloudtrail-logs-after-1-day", + "Status": "Disabled" + }, + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" + }, + "bucketName": "sample-cloudtrail-bucket-name", + "lifecycle": "" + }, + "resources": [ + { + "accountId": "111122223333", + "arn": "arn:aws:s3:::sample-cloudtrail-bucket-name", + "type": "AWS::S3::Bucket" + } + ], + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "sample-cloudtrail-bucket-name.s3.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "[sample-user-agent]", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-25T16:53:42Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } + - Name: 730-Day Lifecycle Rule on Known CT Bucket + ExpectedResult: false + Mocks: + - objectName: is_cloudtrail_bucket + returnValue: "true" + Log: + { + "p_event_time": "2024-11-26 17:26:06.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-26 17:30:54.113261939", + "additionalEventData": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 309, + "bytesTransferredOut": 0, + "x-amz-id-2": "xdjFGuP5MOmtnO6PCaHFNtvmnmUjGLngYLZlKRtdDAihd76he3U1M1QVXbs0q5vZr4Pv7ipRNUU=" + }, + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "a8cfbde4-3b77-430a-b2f3-388d5bb75eb3", + "eventName": "PutBucketLifecycle", + "eventSource": "s3.amazonaws.com", + "eventTime": "2024-11-26 17:26:06.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "HAKZ6Z7PDPHET3TQ", + "requestParameters": { + "Host": "s3.us-west-2.amazonaws.com", + "LifecycleConfiguration": { + "Rule": { + "Expiration": { + "Days": 730 + }, + "Filter": "", + "ID": "nuke-cloudtrail-logs-after-730-days", + "NoncurrentVersionExpiration": { + "NoncurrentDays": 730 + }, + "Status": "Enabled" + }, + "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/" + }, + "bucketName": "sample-cloudtrail-bucket-name", + "lifecycle": "" + }, + "resources": [ + { + "accountId": "111122223333", + "arn": "arn:aws:s3:::sample-cloudtrail-bucket-name", + "type": "AWS::S3::Bucket" + } + ], + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36]", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T17:23:25Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } + - Name: Completely Unrelated Event + ExpectedResult: false + Log: + { + "p_event_time": "2024-11-26 17:23:59.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-26 17:30:54.112906272", + "additionalEventData": { + "AuthenticationMethod": "AuthHeader", + "CipherSuite": "TLS_AES_128_GCM_SHA256", + "SignatureVersion": "SigV4", + "bytesTransferredIn": 0, + "bytesTransferredOut": 313, + "x-amz-id-2": "CaKGcLO+fHGAWCSQD7+2dEACPcs+Az44FEQT3c5iu+YlJ8sFA++rPcYTr5xGx5/iwaxNWzWWaWQ=" + }, + "awsRegion": "us-west-2", + "errorCode": "NoSuchLifecycleConfiguration", + "errorMessage": "The lifecycle configuration does not exist", + "eventCategory": "Management", + "eventID": "41fd8553-6e3c-4942-ad03-aba324ec109e", + "eventName": "GetBucketLifecycle", + "eventSource": "s3.amazonaws.com", + "eventTime": "2024-11-26 17:23:59.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": true, + "recipientAccountId": "111122223333", + "requestID": "BTYKZ7VY1EKRSMZM", + "requestParameters": { + "Host": "s3.us-west-2.amazonaws.com", + "bucketName": "sample-cloudtrail-bucket-name", + "lifecycle": "" + }, + "resources": [ + { + "accountId": "111122223333", + "arn": "arn:aws:s3:::sample-cloudtrail-bucket-name", + "type": "AWS::S3::Bucket" + } + ], + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "s3.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "[Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36]", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T17:23:25Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } \ No newline at end of file diff --git a/rules/aws_cloudtrail_rules/aws_dns_logs_deleted.py b/rules/aws_cloudtrail_rules/aws_dns_logs_deleted.py new file mode 100644 index 000000000..10c9695f7 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_dns_logs_deleted.py @@ -0,0 +1,18 @@ +from panther_aws_helpers import aws_cloudtrail_success, aws_rule_context, lookup_aws_account_name + + +def rule(event): + return ( + aws_cloudtrail_success(event) and event.get("eventName") == "DeleteResolverQueryLogConfig" + ) + + +def title(event): + account = event.deep_get("userIdentity", "accountId", default="") + region = event.get("awsRegion", "") + return f"DNS logs have been deleted in {lookup_aws_account_name(account)} in {region}" + + +def alert_context(event): + log_id = event.deep_get("requestParameters", "resolverQueryLogConfigId", "") + return aws_rule_context(event) | {"logId": log_id} diff --git a/rules/aws_cloudtrail_rules/aws_dns_logs_deleted.yml b/rules/aws_cloudtrail_rules/aws_dns_logs_deleted.yml new file mode 100644 index 000000000..3413b4e55 --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_dns_logs_deleted.yml @@ -0,0 +1,90 @@ +AnalysisType: rule +Filename: aws_dns_logs_deleted.py +RuleID: "AWS.CloudTrail.DNSLogsDeleted" +DisplayName: "AWS DNS Logs Deleted" +Enabled: true +LogTypes: + - AWS.CloudTrail +Severity: Low +Reports: + MITRE ATT&CK: + - TA0005:T1562.008 # Defense Evasion: Disable or Modify Cloud Logs +Description: "Detects when logs for a DNS Resolver have been removed." +Reference: + hhttps://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.dns-delete-logs/ +Runbook: Determine if the log removal to is legitimate. +Tags: + - AWS + - Cloudtrail + - Defense Evasion + - Impair Defenses + - Disable or Modify Cloud Logs + - Defense Evasion:Impair Defenses + - Security Control +Tests: + - Name: Logs Deleted + ExpectedResult: true + Log: + { + "p_event_time": "2024-11-27 18:18:58.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-27 18:25:54.213480847", + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "27e6be30-7c86-4544-b0e0-a60b0c927887", + "eventName": "DeleteResolverQueryLogConfig", + "eventSource": "route53resolver.amazonaws.com", + "eventTime": "2024-11-27 18:18:58.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.08", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "a45a0f04-8911-4c95-a9d7-3fead8a9bc45", + "requestParameters": { + "originSequenceNumber": 0, + "resolverQueryLogConfigId": "rqlc-5aa596fe3bd84ec6" + }, + "responseElements": { + "resolverQueryLogConfig": { + "arn": "arn:aws:route53resolver:us-west-2:111122223333:resolver-query-log-config/rqlc-5aa596fe3bd84ec6", + "associationCount": 0, + "creationTime": "2024-11-27T18:18:56.881520365Z", + "creatorRequestId": "tf-r53-resolver-query-log-config-20241127181856499800000001", + "destinationArn": "arn:aws:s3:::sample-bucket-name", + "id": "rqlc-5aa596fe3bd84ec6", + "name": "sample-config-name", + "ownerId": "111122223333", + "shareStatus": "NOT_SHARED", + "status": "DELETING" + } + }, + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "route53resolver.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "stratus-red-team_dbac929e-ae11-4539-8753-35dbcbbc3256", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-27T18:17:21Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + }, + "webIdFederationData": {} + }, + "type": "AssumedRole" + } + } diff --git a/rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.py b/rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.py new file mode 100644 index 000000000..9e20e95aa --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.py @@ -0,0 +1,15 @@ +from panther_aws_helpers import aws_cloudtrail_success, aws_rule_context, lookup_aws_account_name + + +def rule(event): + return aws_cloudtrail_success(event) and event.get("eventName") == "DeleteFlowLogs" + + +def title(event): + account = event.deep_get("userIdentity", "accountId", default="") + region = event.get("awsRegion", "") + return f"VPC Flow logs have been deleted in {lookup_aws_account_name(account)} in {region}" + + +def alert_context(event): + return aws_rule_context(event) diff --git a/rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.yml b/rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.yml new file mode 100644 index 000000000..2186a617f --- /dev/null +++ b/rules/aws_cloudtrail_rules/aws_vpc_flow_logs_deleted.yml @@ -0,0 +1,86 @@ +AnalysisType: rule +Filename: aws_vpc_flow_logs_deleted.py +RuleID: "AWS.VPCFlow.LogsDeleted" +DisplayName: "AWS VPC Flow Logs Removed" +Enabled: true +LogTypes: + - AWS.CloudTrail +Severity: Low +Reports: + MITRE ATT&CK: + - TA0005:T1562.008 # Defense Evasion: Disable or Modify Cloud Logs +Description: "Detects when logs for a VPC have been removed." +Reference: + https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.vpc-remove-flow-logs/ +Runbook: Look for an accompanying 'DeleteVpc' event, and confirm that they are related. if there is no matching VPC Deletion event, followup with the log removal to determine if it is legitimate. +Tags: + - AWS + - Cloudtrail + - Defense Evasion + - Impair Defenses + - Disable or Modify Cloud Logs + - Defense Evasion:Impair Defenses + - Security Control +Tests: + - Name: Logs Deleted + ExpectedResult: true + Log: + { + "p_event_time": "2024-11-26 19:29:38.000000000", + "p_log_type": "AWS.CloudTrail", + "p_parse_time": "2024-11-26 19:35:54.358700257", + "awsRegion": "us-west-2", + "eventCategory": "Management", + "eventID": "d5e6d49c-0be9-4c53-ab8a-c7ca86edd130", + "eventName": "DeleteFlowLogs", + "eventSource": "ec2.amazonaws.com", + "eventTime": "2024-11-26 19:29:38.000000000", + "eventType": "AwsApiCall", + "eventVersion": "1.10", + "managementEvent": true, + "readOnly": false, + "recipientAccountId": "111122223333", + "requestID": "1dcd7d36-72be-4aad-9e9d-93b88e0135ea", + "requestParameters": { + "DeleteFlowLogsRequest": { + "FlowLogId": { + "content": "fl-0ef673ef70c4f07cc", + "tag": 1 + } + } + }, + "responseElements": { + "DeleteFlowLogsResponse": { + "requestId": "1dcd7d36-72be-4aad-9e9d-93b88e0135ea", + "unsuccessful": "", + "xmlns": "http://ec2.amazonaws.com/doc/2016-11-15/" + } + }, + "sourceIPAddress": "1.2.3.4", + "tlsDetails": { + "cipherSuite": "TLS_AES_128_GCM_SHA256", + "clientProvidedHostHeader": "ec2.us-west-2.amazonaws.com", + "tlsVersion": "TLSv1.3" + }, + "userAgent": "sample-user-agent", + "userIdentity": { + "accessKeyId": "SAMPLE_ACCESS_KEY", + "accountId": "111122223333", + "arn": "arn:aws:sts::111122223333:assumed-role/SampleRole/leroy.jenkins", + "principalId": "SAMPLE_PRINCIPAL_ID:leroy.jenkins", + "sessionContext": { + "attributes": { + "creationDate": "2024-11-26T17:05:50Z", + "mfaAuthenticated": "false" + }, + "sessionIssuer": { + "accountId": "111122223333", + "arn": "arn:aws:iam::111122223333:role/aws-reserved/sso.amazonaws.com/us-west-2/SampleRole", + "principalId": "SAMPLE_PRINCIPAL_ID", + "type": "Role", + "userName": "SampleRole" + } + }, + "type": "AssumedRole" + } + } From 9ef96a873d0d081d7718f977c7c7a89c0f681c58 Mon Sep 17 00:00:00 2001 From: ben-githubs <38414634+ben-githubs@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:01:33 -0600 Subject: [PATCH 2/2] Add CrowdStrike Event Streams Passthrough Rule (#1442) Co-authored-by: Ariel Ropek <79653153+arielkr256@users.noreply.github.com> --- packs/crowdstrike_event_streams.yml | 1 + .../crowdstrike_detection_summary.py | 47 +++ .../crowdstrike_detection_summary.yml | 348 ++++++++++++++++++ 3 files changed, 396 insertions(+) create mode 100644 rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.py create mode 100644 rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml diff --git a/packs/crowdstrike_event_streams.yml b/packs/crowdstrike_event_streams.yml index 6cf46dbbf..6f42c54e6 100644 --- a/packs/crowdstrike_event_streams.yml +++ b/packs/crowdstrike_event_streams.yml @@ -9,6 +9,7 @@ PackDefinition: - Crowdstrike.AllowlistRemoved - Crowdstrike.API.Key.Created - Crowdstrike.API.Key.Deleted + - Crowdstrike.EppDetectionSummary - Crowdstrike.EphemeralUserAccount - Crowdstrike.IpAllowlistChanged - Crowdstrike.NewAdminUserCreated diff --git a/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.py b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.py new file mode 100644 index 000000000..3653fbd0a --- /dev/null +++ b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.py @@ -0,0 +1,47 @@ +from panther_core import PantherEvent +from panther_crowdstrike_event_streams_helpers import cs_alert_context + + +def rule(event: PantherEvent): + return event.deep_get("metadata", "eventType") == "EppDetectionSummaryEvent" + + +def title(event: PantherEvent): + alert_title = event.deep_get("event", "Name", default="New CrowdStrike Detection") + alert_desc = event.deep_get("event", "Description") + return f"{alert_title}: {alert_desc}" if alert_desc else alert_title + + +def dedup(event: PantherEvent): + if alert_id := event.deep_get("event", "CompositeId"): + return alert_id + # Else, fall back on title string + return title(event) + + +def severity(event: PantherEvent): + # First, try returning the severity based on the SeverityName + sevname = event.deep_get("event", "SeverityName").upper() + allowed_values = ("INFO", "LOW", "MEDIUM", "HIGH", "CRITICAL") + if sevname == "INFORMATIONAL": + sevname = "INFO" + if sevname in allowed_values: + return sevname + + # Else, fallback on the numerical value, falling back on MEDIUM if we still don't have a value + sevval = event.deep_get("event", "Severity") // 20 + return {0: "INFO", 1: "LOW", 2: "MEDIUM", 3: "HIGH", 4: "CRITICAL", 5: "CRITICAL"}.get( + sevval, "DEFAULT" + ) + + +def reference(event: PantherEvent): + return event.deep_get("event", "FalconHostLink", default="") + + +def alert_context(event: PantherEvent): + context = cs_alert_context(event) + context.update( + {"FalconLink": event.deep_get("event", "FalconHostLink", default="")} + ) + return context diff --git a/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml new file mode 100644 index 000000000..2ca9c12fc --- /dev/null +++ b/rules/crowdstrike_rules/event_stream_rules/crowdstrike_detection_summary.yml @@ -0,0 +1,348 @@ +AnalysisType: rule +Filename: crowdstrike_detection_summary.py +RuleID: "Crowdstrike.EppDetectionSummary" +DisplayName: "Crowdstrike Detection Summary" +Enabled: true +LogTypes: + - Crowdstrike.EventStreams +Severity: Medium +Description: Forwards any alerts generated by CrowdStrike to your Panther destinations. +DedupPeriodMinutes: 60 +Threshold: 1 +Runbook: Followup with the alert according to CrowdStrike's recommendations. +Tags: + - Crowdstrike + - Passthrough +Tests: + - Name: INFO Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 10, + "SeverityName": "Informational", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: LOW Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 20, + "SeverityName": "Low", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: MEDIUM Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 50, + "SeverityName": "Medium", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: HIGH Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 70, + "SeverityName": "High", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: CRIT Alert + ExpectedResult: true + Log: + { + "p_event_time": "2024-12-03 19:54:30.000000000", + "p_log_type": "Crowdstrike.EventStreams", + "p_parse_time": "2024-12-03 19:55:53.866056859", + "event": { + "CommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=3832,i,16271085821438557631,11283940248133486999,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8", + "CompositeId": "DETECTION ID", + "Description": "A process has written a known EICAR test file. Review the files written by the triggered process.", + "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/DETECTION-ID?_cid=g04000rdir6xllkvfbjftn5dbo67ord4", + "FileName": "msedge.exe", + "FilePath": "\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe", + "GrandparentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFilename": "explorer.exe", + "LocalIP": "10.0.6.37", + "MACAddress": "06-a7-e1-13-09-0d", + "MD5String": "fcde6b30b89cabf7d0460bc5a580cb12", + "Name": "Known Malware", + "Objective": "Follow Through", + "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --profile-directory=Default", + "ParentImageFileName": "msedge.exe", + "ParentProcessId": "90559720124", + "PatternDispositionDescription": "Detection, standard detection.", + "PatternDispositionFlags": { + "BootupSafeguardEnabled": false, + "CriticalProcessDisabled": false, + "Detect": false, + "FsOperationBlocked": false, + "InddetMask": false, + "Indicator": false, + "KillParent": false, + "KillProcess": false, + "KillSubProcess": false, + "OperationBlocked": false, + "PolicyDisabled": false, + "ProcessBlocked": false, + "QuarantineFile": false, + "QuarantineMachine": false, + "RegistryOperationBlocked": false, + "Rooting": false, + "SensorOnly": false + }, + "PatternDispositionValue": 0, + "ProcessEndTime": "1970-01-01 00:00:00.000000000", + "ProcessId": "90597916092", + "ProcessStartTime": "2024-12-03 19:53:19.000000000", + "SHA1String": "0000000000000000000000000000000000000000", + "SHA256String": "05d8bce07453a2f3e77503797e39365fd78766099ca60968b9f411ce9886d4ae", + "Severity": 90, + "SeverityName": "Critical", + "Tactic": "Execution", + "Technique": "User Execution", + "UserName": "Administrator" + }, + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "EppDetectionSummaryEvent", + "offset": 1201171, + "version": "1.0" + } + } + - Name: Unrelated Event + ExpectedResult: false + Log: + { + "metadata": { + "customerIDString": "CUST_ID", + "eventCreationTime": "2024-12-03 19:54:30.000000000", + "eventType": "AuthActivityAuditEvent", + "offset": 1201171, + "version": "1.0" + } + }