Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Aws system location hb #624

Merged
merged 13 commits into from
Jan 16, 2024
Merged

Aws system location hb #624

merged 13 commits into from
Jan 16, 2024

Conversation

hbenac10
Copy link
Contributor

Background

Added new ODIN detection for MITRE system location discovery.

@hbenac10 hbenac10 requested review from a team January 12, 2023 15:05
@calkim-panther
Copy link
Contributor

I'd make both of these INFO sev.

Additionally the threshold behavior would be to not alert unless someone repeats the same action X times since the title being used for dedup has the useridentity, action, and account. If the intention was to alert if someone performs any of the listed actions X times, we'd need a custom dedup string excluding the action.

@calkim-panther
Copy link
Contributor

This PR contains duplicate code to #642

@calkim-panther
Copy link
Contributor

Please move rules/aws_cloudtrail_rules/aws_system_discovery_location.py to #642 and close

@hbenac10
Copy link
Contributor Author

Please move rules/aws_cloudtrail_rules/aws_system_discovery_location.py to #642 and close

Close this PR or the other one?

edyesed
edyesed suggested changes Feb 8, 2023
View reviewed changes
Copy link
Contributor

@edyesed edyesed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This just needs a tweak on the MITRE tactic:technique and seems good to ship otherwise

rules/aws_cloudtrail_rules/aws_software_discovery.yml Outdated Show resolved Hide resolved
rules/aws_cloudtrail_rules/aws_software_discovery.yml Outdated Show resolved Hide resolved
@hbenac10 hbenac10 requested a review from edyesed February 8, 2023 16:44
@zacbrown zacbrown removed the request for review from a team May 31, 2023 20:25
@egibs egibs removed the request for review from edyesed October 30, 2023 21:41
@hbenac10 hbenac10 requested a review from a team January 16, 2024 18:40
arielkr256
arielkr256 approved these changes Jan 16, 2024
View reviewed changes
Copy link
Contributor

@arielkr256 arielkr256 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MITRE Tag update looks good!

@arielkr256 arielkr256 merged commit 4ef577a into main Jan 16, 2024
6 checks passed
@arielkr256 arielkr256 deleted the aws-system-location-hb branch January 16, 2024 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edyesed edyesed edyesed requested changes

@arielkr256 arielkr256 arielkr256 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hbenac10 @calkim-panther @edyesed @arielkr256