Add references to rules (standard_rules)

akozlovets098 · akozlovets098 · commit de8164cdcd3a · 2023-12-12T15:45:34.000+02:00
diff --git a/rules/standard_rules/admin_assigned.yml b/rules/standard_rules/admin_assigned.yml
@@ -18,8 +18,9 @@ Severity: Medium
 Reports:
   MITRE ATT&CK:
     - TA0004:T1078
-Description: Attaching an audit role manually could be a sign of privilege escalation
+Description: Assigning an admin role manually could be a sign of privilege escalation
 Runbook: Verify with the user who attached the role or add to a allowlist
+Reference: https://medium.com/@gokulelango1040/privilege-escalation-attacks-28a9ef226abb
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:
diff --git a/rules/standard_rules/brute_force_by_ip.yml b/rules/standard_rules/brute_force_by_ip.yml
@@ -23,6 +23,7 @@ Reports:
     - TA0006:T1110
 Description: An actor user was denied login access more times than the configured threshold.
 Runbook: Analyze the IP they came from, and other actions taken before/after. Check if a user from this ip eventually authenticated successfully.
+Reference: https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:
diff --git a/rules/standard_rules/impossible_travel_login.yml b/rules/standard_rules/impossible_travel_login.yml
@@ -21,6 +21,7 @@ Runbook: >
 
   If the user responds that the geolocation on the new location is incorrect, you can directly
   report the inaccuracy via  https://ipinfo.io/corrections
+Reference: https://expertinsights.com/insights/what-are-impossible-travel-logins/#:~:text=An%20impossible%20travel%20login%20is,of%20the%20logins%20is%20fraudulent.
 SummaryAttributes:
   - p_any_usernames
   - p_any_ip_addresses
diff --git a/rules/standard_rules/malicious_sso_dns_lookup.yml b/rules/standard_rules/malicious_sso_dns_lookup.yml
@@ -19,6 +19,7 @@ Reports:
     - TA0001:T1566
 Description: The rule looks for DNS requests to sites potentially posing as SSO domains.
 Runbook: Verify if the destination domain is owned by your organization.
+Reference: https://www.cloudns.net/wiki/article/254/#:~:text=A%20DNS%20query%20(also%20known,associated%20with%20a%20domain%20name.
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:
diff --git a/rules/standard_rules/mfa_disabled.yml b/rules/standard_rules/mfa_disabled.yml
@@ -15,6 +15,7 @@ Tags:
 Reports:
   MITRE ATT&CK:
     - TA0005:T1556
+Reference: https://en.wikipedia.org/wiki/Multi-factor_authentication
 Severity: High
 Description: Detects when Multi-Factor Authentication (MFA) is disabled
 SummaryAttributes:
diff --git a/rules/standard_rules/standard_dns_base64.yml b/rules/standard_rules/standard_dns_base64.yml
@@ -4,6 +4,7 @@ Description: Detects DNS queries with Base64 encoded subdomains, which could ind
 RuleID: "Standard.DNSBase64"
 Enabled: false
 Filename: standard_dns_base64.py
+Reference: https://zofixer.com/what-is-base64-disclosure-vulnerability/
 Severity: Medium
 DedupPeriodMinutes: 60
 Threshold: 1
diff --git a/rules/standard_rules/unusual_login_deprecated.yml b/rules/standard_rules/unusual_login_deprecated.yml
@@ -29,6 +29,7 @@ Runbook: >
   Reach out to the user to ensure the login was legitimate.  Be sure to use a means outside the one the unusual login originated from, if one is available. CC an individual that works with the user for visibility, usually the user’s manager if they’re available. The second user is not expected to respond, unless they find the response unusual or the location unexpected.
 
   To reduce noise, geolocation history length can be configured in the rule body to increase the number of allowed locations per user.
+Reference: https://d3fend.mitre.org/technique/d3f:UserGeolocationLogonPatternAnalysis/
 SummaryAttributes:
   - p_any_ip_addresses
 Tests:
