diff --git a/rules/aws_cloudtrail_rules/abnormally_high_event_volume.yml b/rules/aws_cloudtrail_rules/abnormally_high_event_volume.yml index 13e8baa43..a227fdf9e 100644 --- a/rules/aws_cloudtrail_rules/abnormally_high_event_volume.yml +++ b/rules/aws_cloudtrail_rules/abnormally_high_event_volume.yml @@ -6,6 +6,7 @@ Filename: abnormally_high_event_volume.py Reports: MITRE ATT&CK: - TA0040:T1499 +Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/aws_cloudtrail_rules/aws_ec2_ebs_encryption_disabled.yml b/rules/aws_cloudtrail_rules/aws_ec2_ebs_encryption_disabled.yml index 9b81e2834..f4911d7f3 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_ebs_encryption_disabled.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_ebs_encryption_disabled.yml @@ -8,6 +8,7 @@ Reports: - TA0040:T1486 - TA0040:T1565 Runbook: Verify this action was intended and if any EBS volumes were created after the change. +Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml index a65080bf8..953b2c80d 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_gateway_modified.yml @@ -17,7 +17,7 @@ Reports: Severity: Info Description: An EC2 Network Gateway was modified. Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-gateway-modified -Reference: reference.link +Reference: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html SummaryAttributes: - eventName - userAgent diff --git a/rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml b/rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml index 068492604..45028382f 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_manual_security_group_changes.yml @@ -17,6 +17,7 @@ Severity: Medium Description: > An EC2 security group was manually updated without abiding by the organization's accepted processes. This rule expects organizations to either use the Console, CloudFormation, or Terraform, configurable in the rule's ALLOWED_USER_AGENTS. Runbook: Identify the actor who changed the security group and validate it was legitimate +Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html Tests: - Name: AWS Console - Ingress SG Authorization diff --git a/rules/aws_cloudtrail_rules/aws_ec2_monitoring.yml b/rules/aws_cloudtrail_rules/aws_ec2_monitoring.yml index 506d41736..b8f9bb6c0 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_monitoring.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_monitoring.yml @@ -7,6 +7,7 @@ Reports: MITRE ATT&CK: - TA0002:T1204 Runbook: Verify that the action was not taken by a malicious actor. +Reference: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html#amazonec2imagebuilder-actions-as-permissions Severity: Info Tags: - ec2 diff --git a/rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml index ef10a35cf..61ded1b13 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_network_acl_modified.yml @@ -17,7 +17,7 @@ Reports: Severity: Info Description: An EC2 Network ACL was modified. Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-network-acl-modified -Reference: reference.link +Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-tasks SummaryAttributes: - eventName - userAgent diff --git a/rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml index ecb4c4592..cd3261d37 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_route_table_modified.yml @@ -16,7 +16,7 @@ Reports: Severity: Info Description: An EC2 Route Table was modified. Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-route-table-modified -Reference: reference.link +Reference: https://docs.aws.amazon.com/vpc/latest/userguide/WorkWithRouteTables.html SummaryAttributes: - eventName - userAgent diff --git a/rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml index 8b716d58f..b9439e56b 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_security_group_modified.yml @@ -19,7 +19,7 @@ DedupPeriodMinutes: 720 # 12 hours Description: > An EC2 Security Group was modified. Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-securitygroup-modified -Reference: reference.link +Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html SummaryAttributes: - eventName - userAgent diff --git a/rules/aws_cloudtrail_rules/aws_ec2_startup_script_change.yml b/rules/aws_cloudtrail_rules/aws_ec2_startup_script_change.yml index 7ecebd1ef..912273f98 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_startup_script_change.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_startup_script_change.yml @@ -6,6 +6,7 @@ Filename: aws_ec2_startup_script_change.py Reports: MITRE ATT&CK: - TA0002:T1059 +Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts Severity: High Tests: - ExpectedResult: false diff --git a/rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml b/rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml index dcb751b64..b7d42f1cc 100644 --- a/rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml +++ b/rules/aws_cloudtrail_rules/aws_ec2_vpc_modified.yml @@ -18,7 +18,7 @@ Severity: Info DedupPeriodMinutes: 720 # 12 hours Description: An EC2 VPC was modified. Runbook: https://docs.runpanther.io/alert-runbooks/built-in-rules/aws-ec2-vpc-modified -Reference: reference.link +Reference: https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html SummaryAttributes: - eventName - userAgent diff --git a/rules/aws_cloudtrail_rules/aws_ecr_crud.yml b/rules/aws_cloudtrail_rules/aws_ecr_crud.yml index 94da54aa1..3d6b8562d 100644 --- a/rules/aws_cloudtrail_rules/aws_ecr_crud.yml +++ b/rules/aws_cloudtrail_rules/aws_ecr_crud.yml @@ -16,7 +16,7 @@ Reports: Severity: High Description: Unauthorized ECR Create, Read, Update, or Delete event occurred. Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html -Reference: reference.link +Reference: https://docs.aws.amazon.com/AmazonECR/latest/userguide/security-iam.html#security_iam_authentication SummaryAttributes: - eventSource - eventName diff --git a/rules/aws_cloudtrail_rules/aws_ecr_events.yml b/rules/aws_cloudtrail_rules/aws_ecr_events.yml index cee78d59e..66ecf1bcd 100644 --- a/rules/aws_cloudtrail_rules/aws_ecr_events.yml +++ b/rules/aws_cloudtrail_rules/aws_ecr_events.yml @@ -14,7 +14,7 @@ Reports: Severity: High Description: An ECR event occurred outside of an expected account or region Runbook: https://docs.aws.amazon.com/AmazonECR/latest/userguide/logging-using-cloudtrail.html -Reference: reference.link +Reference: https://aws.amazon.com/blogs/containers/amazon-ecr-in-multi-account-and-multi-region-architectures/ SummaryAttributes: - eventSource - recipientAccountId diff --git a/rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml b/rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml index 889673e53..9168f4e16 100644 --- a/rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml +++ b/rules/aws_cloudtrail_rules/aws_iam_assume_role_blocklist_ignored.yml @@ -18,7 +18,7 @@ Description: > A user assumed a role that was explicitly blocklisted for manual user assumption. Runbook: > Verify that this was an approved assume role action. If not, consider revoking the access immediately and updating the AssumeRolePolicyDocument to prevent this from happening again. -Reference: reference.link +Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html SummaryAttributes: - userAgent - sourceIpAddress diff --git a/rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml b/rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml index 49c3a8d52..da163310b 100644 --- a/rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml +++ b/rules/aws_cloudtrail_rules/aws_iam_entity_created_without_cloudformation.yml @@ -18,7 +18,7 @@ Description: > An IAM Entity (Group, Policy, Role, or User) was created manually. IAM entities should be created in code to ensure that permissions are tracked and managed correctly. Runbook: > Verify whether IAM entity needs to exist. If so, re-create it in an appropriate CloudFormation, Terraform, or other template. Delete the original manually created entity. -Reference: reference.link +Reference: https://blog.awsfundamentals.com/aws-iam-roles-with-aws-cloudformation SummaryAttributes: - userAgent - sourceIpAddress diff --git a/rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml b/rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml index 1b6ed35da..85b344557 100644 --- a/rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml +++ b/rules/aws_cloudtrail_rules/aws_iam_user_key_created.yml @@ -9,6 +9,7 @@ Reports: - TA0005:T1108 - TA0005:T1550 - TA0008:T1550 +Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html Severity: Medium Tests: - ExpectedResult: false diff --git a/rules/aws_cloudtrail_rules/aws_ipset_modified.yml b/rules/aws_cloudtrail_rules/aws_ipset_modified.yml index 48fe17499..ff59598bd 100644 --- a/rules/aws_cloudtrail_rules/aws_ipset_modified.yml +++ b/rules/aws_cloudtrail_rules/aws_ipset_modified.yml @@ -6,6 +6,7 @@ Filename: aws_ipset_modified.py Reports: MITRE ATT&CK: - TA0005:T1562 +Reference: https://docs.aws.amazon.com/managedservices/latest/ctref/management-monitoring-guardduty-ip-set-update-review-required.html Severity: High Tests: - ExpectedResult: true diff --git a/rules/aws_cloudtrail_rules/aws_key_compromised.yml b/rules/aws_cloudtrail_rules/aws_key_compromised.yml index 959e13dba..5acf713a6 100644 --- a/rules/aws_cloudtrail_rules/aws_key_compromised.yml +++ b/rules/aws_cloudtrail_rules/aws_key_compromised.yml @@ -14,7 +14,7 @@ Tags: Severity: High Description: A users static AWS API key was uploaded to a public github repo. Runbook: Determine the key owner, disable/delete key, and delete the user to resolve the AWS case. If user needs a new IAM give them a stern talking to first. -Reference: N/A +Reference: https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning Tests: - Name: An AWS Access Key was Uploaded to Github diff --git a/rules/aws_cloudtrail_rules/aws_lambda_crud.yml b/rules/aws_cloudtrail_rules/aws_lambda_crud.yml index 7d12ab1a1..8ca1cb70c 100644 --- a/rules/aws_cloudtrail_rules/aws_lambda_crud.yml +++ b/rules/aws_cloudtrail_rules/aws_lambda_crud.yml @@ -16,7 +16,7 @@ Reports: Severity: High Description: Unauthorized lambda Create, Read, Update, or Delete event occurred. Runbook: https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html -Reference: reference.link +Reference: https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html SummaryAttributes: - eventSource - eventName diff --git a/rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml b/rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml index a6f921c61..7a5e31f08 100644 --- a/rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml +++ b/rules/aws_cloudtrail_rules/aws_network_acl_permissive_entry.yml @@ -16,7 +16,7 @@ Description: > A Network ACL entry that allows access from anywhere was added. Runbook: > Remove the overly permissive Network ACL entry and add a new entry with more restrictive permissions. -Reference: reference.link +Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules SummaryAttributes: - userAgent - sourceIpAddress diff --git a/rules/aws_cloudtrail_rules/aws_rds_master_pass_updated.yml b/rules/aws_cloudtrail_rules/aws_rds_master_pass_updated.yml index e7ccad158..9333440bc 100644 --- a/rules/aws_cloudtrail_rules/aws_rds_master_pass_updated.yml +++ b/rules/aws_cloudtrail_rules/aws_rds_master_pass_updated.yml @@ -3,6 +3,7 @@ Description: A sensitive database operation that should be performed carefully o DisplayName: "AWS RDS Master Password Updated" Enabled: true Filename: aws_rds_master_pass_updated.py +Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html Severity: Low DedupPeriodMinutes: 60 Reports: diff --git a/rules/aws_cloudtrail_rules/aws_rds_publicrestore.yml b/rules/aws_cloudtrail_rules/aws_rds_publicrestore.yml index d089332ad..0de637b43 100644 --- a/rules/aws_cloudtrail_rules/aws_rds_publicrestore.yml +++ b/rules/aws_cloudtrail_rules/aws_rds_publicrestore.yml @@ -6,6 +6,7 @@ Filename: aws_rds_publicrestore.py Reports: MITRE ATT&CK: - TA0010:T1020 +Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html Severity: High Tests: - ExpectedResult: false diff --git a/rules/aws_cloudtrail_rules/aws_resource_made_public.yml b/rules/aws_cloudtrail_rules/aws_resource_made_public.yml index 101bbfaf6..5772e529f 100644 --- a/rules/aws_cloudtrail_rules/aws_resource_made_public.yml +++ b/rules/aws_cloudtrail_rules/aws_resource_made_public.yml @@ -16,7 +16,7 @@ Description: > Some AWS resource was made publicly accessible over the internet. Checks ECR, Elasticsearch, KMS, S3, S3 Glacier, SNS, SQS, and Secrets Manager. Runbook: Adjust the policy so that the resource is no longer publicly accessible -Reference: reference.link +Reference: https://aws.amazon.com/blogs/security/identifying-publicly-accessible-resources-with-amazon-vpc-network-access-analyzer/ SummaryAttributes: - userAgent - sourceIpAddress diff --git a/rules/aws_cloudtrail_rules/aws_root_console_login.yml b/rules/aws_cloudtrail_rules/aws_root_console_login.yml index 9ae623cc8..1ee570154 100644 --- a/rules/aws_cloudtrail_rules/aws_root_console_login.yml +++ b/rules/aws_cloudtrail_rules/aws_root_console_login.yml @@ -16,7 +16,7 @@ Reports: Description: Deprecated. Please see AWS.Console.RootLogin instead. Runbook: > Verify that the root login was authorized. If not, investigate the root activity and ensure no malicious activity was performed. Change the root password. -Reference: reference.link +Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html SummaryAttributes: - eventSource - userAgent diff --git a/rules/aws_cloudtrail_rules/aws_saml_activity.yml b/rules/aws_cloudtrail_rules/aws_saml_activity.yml index 4cb712416..f8200daf4 100644 --- a/rules/aws_cloudtrail_rules/aws_saml_activity.yml +++ b/rules/aws_cloudtrail_rules/aws_saml_activity.yml @@ -3,6 +3,7 @@ Description: Identifies when SAML activity has occurred in AWS. An adversary cou DisplayName: "AWS SAML Activity" Enabled: true Filename: aws_saml_activity.py +Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/aws_cloudtrail_rules/aws_security_configuration_change.yml b/rules/aws_cloudtrail_rules/aws_security_configuration_change.yml index 24172f3ed..8f1d4d3f0 100644 --- a/rules/aws_cloudtrail_rules/aws_security_configuration_change.yml +++ b/rules/aws_cloudtrail_rules/aws_security_configuration_change.yml @@ -15,7 +15,7 @@ Reports: Description: An account wide security configuration was changed. Runbook: > Verify that this change was planned. If not, revert the change and update the access control policies to ensure this doesn't happen again. -Reference: reference.link +Reference: https://docs.aws.amazon.com/prescriptive-guidance/latest/aws-startup-security-baseline/controls-acct.html SummaryAttributes: - eventName - userAgent diff --git a/rules/aws_cloudtrail_rules/aws_securityhub_finding_evasion.yml b/rules/aws_cloudtrail_rules/aws_securityhub_finding_evasion.yml index a7ae22a4e..2c1229932 100644 --- a/rules/aws_cloudtrail_rules/aws_securityhub_finding_evasion.yml +++ b/rules/aws_cloudtrail_rules/aws_securityhub_finding_evasion.yml @@ -6,6 +6,7 @@ Filename: aws_securityhub_finding_evasion.py Reports: MITRE ATT&CK: - TA0005:T1562 +Reference: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights-view-take-action.html Severity: High Tests: - ExpectedResult: false diff --git a/rules/aws_cloudtrail_rules/aws_snapshot_backup_exfiltration.yml b/rules/aws_cloudtrail_rules/aws_snapshot_backup_exfiltration.yml index b4cde3add..0ff37b39d 100644 --- a/rules/aws_cloudtrail_rules/aws_snapshot_backup_exfiltration.yml +++ b/rules/aws_cloudtrail_rules/aws_snapshot_backup_exfiltration.yml @@ -6,6 +6,7 @@ Filename: aws_snapshot_backup_exfiltration.py Reports: MITRE ATT&CK: - TA0010:T1537 +Reference: https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/ec2-backup.html Severity: Medium Tests: - ExpectedResult: true diff --git a/rules/aws_cloudtrail_rules/aws_snapshot_made_public.yml b/rules/aws_cloudtrail_rules/aws_snapshot_made_public.yml index d2145736c..2b8786331 100644 --- a/rules/aws_cloudtrail_rules/aws_snapshot_made_public.yml +++ b/rules/aws_cloudtrail_rules/aws_snapshot_made_public.yml @@ -14,7 +14,7 @@ Reports: Severity: Medium Description: An AWS storage snapshot was made public. Runbook: Adjust the snapshot configuration so that it is no longer public. -Reference: reference.link +Reference: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html SummaryAttributes: - userAgent - sourceIpAddress diff --git a/rules/aws_cloudtrail_rules/aws_user_login_profile_modified.yml b/rules/aws_cloudtrail_rules/aws_user_login_profile_modified.yml index a351b1016..84cf26c4e 100644 --- a/rules/aws_cloudtrail_rules/aws_user_login_profile_modified.yml +++ b/rules/aws_cloudtrail_rules/aws_user_login_profile_modified.yml @@ -9,6 +9,7 @@ Reports: - TA0005:T1108 - TA0005:T1550 - TA0008:T1550 +Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage-pass-accesskeys-ssh.html Severity: High Tests: - ExpectedResult: false