Threat-274 OCSF data model, CloudTrail #1238

akozlovets098 · 2024-05-15T12:07:12Z

Background

The Open Cybersecurity Schema Framework (OCSF) is a collaborative, open-source effort by AWS and leading partners in the cybersecurity industry. OCSF provides a standard schema for common security events, defines versioning criteria to facilitate schema evolution, and includes a self-governance process for security log producers and consumers. Having our AWS rules work with OCSF log could have a great value for customers who will use OCSF.

Changes

Added data models for OCSF.AccountChange, OCSF.ApiActivity, OCSF.Authentication log types
Updated data model for AWS.CloudTrail
Updated AWS CloudTrail rules to work with data models
Added unit tests for OCSF logs
Reformatted unit tests yaml -> json

Testing

See unit tests updates

* Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]>

* fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix

* fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix

* added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]>

* traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]>

* Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0

python from sdyaml

* consistency nit fixes * - somethings -> some things

* alert passthrough * Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * linting * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * add file/host state to msft graph alert context (#1220) * fix timestamps (#1219) * Update PAT to 0.46.1 (#1222) * pack for traildiscover LUT (#1221) * use event.deep_get and remove InlineFilters * add pack --------- Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: akozlovets098 <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Nick Hakmiller <[email protected]> Co-authored-by: Ariel Ropek <[email protected]>

# Conflicts: # .github/CODEOWNERS # Pipfile # Pipfile.lock

* Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * Push Security rules * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * add file/host state to msft graph alert context (#1220) * fix timestamps (#1219) * Update PAT to 0.46.1 (#1222) * pack for traildiscover LUT (#1221) * pack, fmt lint, event.deep_get * pack update --------- Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: akozlovets098 <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Nick Hakmiller <[email protected]> Co-authored-by: Ariel Ropek <[email protected]>

* created pack and updated event.deep_get * update logtype

* Remove Node/NPM/Prettier Signed-off-by: egibs <[email protected]> * Update README; add removal notes Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>

Signed-off-by: egibs <[email protected]>

* Use harden-runner Action for all Workflows Signed-off-by: egibs <[email protected]> * Run Docker Workflow Signed-off-by: egibs <[email protected]> * Add blocking policy for docker.yml Signed-off-by: egibs <[email protected]> * Add permissions to Workflow Signed-off-by: egibs <[email protected]> * More permissions Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>

* Deprecate GreyNoise detections (#1205) * Deprecate GreyNoise detections * Update rules/aws_cloudtrail_rules/aws_s3_activity_greynoise.yml * Update rules/cloudflare_rules/cloudflare_firewall_suspicious_event_greynoise.yml * Update cloudflare_httpreq_bot_high_volume_greynoise.yml --------- Co-authored-by: Ariel Ropek <[email protected]> * fix - Notion Login From New Location - NoneType error (#1206) * fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix * remove codeowners (#1208) * fix - GCP rules - AttributeError (#1210) * fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix * MITRE ATT&CK Mappings for MS Rules (#1209) * added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]> * traildiscover enrichment with managed schema (#1177) * traildiscover enrichment with managed schema * Add npm install in dockerfile (#1172) * add npm install in dockerfile * Remove Python optimizations; add prettier to PATH --------- Co-authored-by: egibs <[email protected]> * schema name: TrailDiscover.CloudTrail * Fix Dockerfile; add Workflow to test image * updated data set * Add MongoDB.2FA.Disabled rule (#1190) Co-authored-by: Ariel Ropek <[email protected]> * lint and fmt * fmt * add OCSF selector * additional OCSF mappings * Fix Pipfile * Rebase changes --------- Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Oleh Melenevskyi <[email protected]> * Update PAT to 0.46.0 (#1216) * THREAT-319 Replace geoinfo_from_ip with new version --------- Co-authored-by: Oleh Melenevskyi <[email protected]> Co-authored-by: Ariel Ropek <[email protected]> Co-authored-by: Panos Sakkos <[email protected]> Co-authored-by: ben-githubs <[email protected]> Co-authored-by: egibs <[email protected]> Co-authored-by: Evan Gibler <[email protected]> Co-authored-by: Evan Gibler <[email protected]>

Signed-off-by: egibs <[email protected]>

* Tweak Snowflake queries Signed-off-by: egibs <[email protected]> * Remove configuration drift query from Pack Signed-off-by: egibs <[email protected]> * Threat Hunting queries are okay Signed-off-by: egibs <[email protected]> * Fix comment Workflow Signed-off-by: egibs <[email protected]> * 12 hours -> 1 day Signed-off-by: egibs <[email protected]> * Update queries/snowflake_queries/snowflake_0108977_configuration_drift.yml --------- Signed-off-by: egibs <[email protected]> Co-authored-by: Ariel Ropek <[email protected]>

melenevskyi and others added 29 commits April 11, 2024 14:33

fix - Notion Login From New Location - NoneType error (#1206)

319fd15

* fix - Notion Login From New Location - NoneType error * fix - Notion Login From New Location - NoneType error - linter fix

remove codeowners (#1208)

3fde677

fix - GCP rules - AttributeError (#1210)

9239b29

* fix - GCP rules - AttributeError * fix - GCP rules - AttributeError - linter fix

MITRE ATT&CK Mappings for MS Rules (#1209)

f1180d4

* added MITRE mappings for microsoft rules * fixed formatting on some helper files --------- Co-authored-by: Ariel Ropek <[email protected]>

Update PAT to 0.46.0 (#1216)

e2e9b4f

Replace panther_analysis_tool import with updated import (#1230)

cd042d2

Update Action versions; use SHAs (#1231)

5e5f196

* Update Action versions; use SHAs * Add dependabot.yml to keep Actions updated * Update PAT to 0.49.0

migrates the gcp_storage_hmac_keys_create rule to (#1233)

0f28285

python from sdyaml

move scheduled rules to the queries directory (#1234)

83e6d74

consistency nit fixes (#1235)

575cf47

* consistency nit fixes * - somethings -> some things

Merge remote-tracking branch 'origin/release' into release

1cb6695

# Conflicts: # .github/CODEOWNERS # Pipfile # Pipfile.lock

created pack and updated event.deep_get (#1239)

1252a70

Push logtype update (#1240)

63db6ce

* created pack and updated event.deep_get * update logtype

Remove Node/NPM/Prettier (#1241)

442849c

* Remove Node/NPM/Prettier Signed-off-by: egibs <[email protected]> * Update README; add removal notes Signed-off-by: egibs <[email protected]> --------- Signed-off-by: egibs <[email protected]>

Merge remote-tracking branch 'origin/release' into release

309c401

Small Workflow tweaks (#1243)

c8b23bd

Signed-off-by: egibs <[email protected]>

Use full Action SHAs rather than versioned releases (#1245)

cec5c8c

Signed-off-by: egibs <[email protected]>

auth0-cic-credential-stuffing rule and query (#1246)

ca6f7de

Merge branch 'main' into release

7eed675

Signed-off-by: egibs <[email protected]>

Update panther-core to 0.10.1 via PAT (#1249)

12ff27b

Signed-off-by: egibs <[email protected]>

Merge remote-tracking branch 'origin/release' into release

c331931

THREAT-278 OCSF data model, CloudTrail

88becd1

THREAT-278 OCSF data model, CloudTrail - update deps, fix errors

63439fc

akozlovets098 force-pushed the THREAT-274-OCSF-data-model,-CloudTrail branch from 51d8db3 to 63439fc Compare June 4, 2024 12:28

THREAT-278 OCSF data model, CloudTrail - fix pack & formatting

40e9e64

akozlovets098 force-pushed the THREAT-274-OCSF-data-model,-CloudTrail branch from 7b1f499 to 40e9e64 Compare June 4, 2024 12:52

akozlovets098 and others added 3 commits June 4, 2024 16:02

THREAT-278 OCSF data model, CloudTrail - added auth0 rule to pack

1ddcd0e

Merge branch 'release' into THREAT-274-OCSF-data-model,-CloudTrail

a854c16

akozlovets098 marked this pull request as ready for review June 5, 2024 08:15

akozlovets098 requested a review from a team as a code owner June 5, 2024 08:15

egibs force-pushed the release branch from bc59473 to 575dc62 Compare June 27, 2024 15:23

arielkr256 added the enhancement New feature or request label Sep 4, 2024

arielkr256 added enhancement New feature or request and removed enhancement New feature or request labels Sep 11, 2024

arielkr256 marked this pull request as draft September 25, 2024 18:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Threat-274 OCSF data model, CloudTrail #1238

Threat-274 OCSF data model, CloudTrail #1238

akozlovets098 commented May 15, 2024 •

edited

Loading

Threat-274 OCSF data model, CloudTrail #1238

Are you sure you want to change the base?

Threat-274 OCSF data model, CloudTrail #1238

Conversation

akozlovets098 commented May 15, 2024 • edited Loading

Background

Changes

Testing

akozlovets098 commented May 15, 2024 •

edited

Loading