Skip to content

Commit

Permalink
Merge PR #4479 From @frack113 - Upgrade Rules Status
Browse files Browse the repository at this point in the history
chore: Upgrade status level from `experimental` to `test` for rules that have not changed in 300 days

---------

Signed-off-by: frack113 <[email protected]>
Co-authored-by: nasbench <[email protected]>
  • Loading branch information
frack113 and nasbench authored Oct 17, 2023
1 parent 92874da commit 020fc80
Show file tree
Hide file tree
Showing 557 changed files with 635 additions and 636 deletions.
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Account Created And Deleted By Non Approved Users
id: c98184ba-4a27-4e10-b7b7-da48e71f4d25
status: experimental
status: test
description: Detects accounts that are created or deleted by non-approved users.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Authentication Occuring Outside Normal Business Hours
id: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526
status: experimental
status: test
description: Detects user signs ins outside of normal business hours.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Privilege Role Elevation Not Occuring on SAW or PAW
id: 38a5e67b-436a-4e77-9f73-f48a82626890
status: experimental
status: test
description: Detects failed sign-in from a PAW or SAW device
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Privilege Role Sign-In Outside Expected Controls
id: cf1e5687-84e1-41af-97a9-158094efef53
status: experimental
status: test
description: Detects failed sign-in due to user not meeting expected controls for adminitrators
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Privilege Role Sign-In Outside Of Normal Hours
id: e927a2f5-e7af-424f-ace7-70ebb49e8976
status: experimental
status: test
description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Recon Activity via SASec
id: 0a3ff354-93fc-4273-8a03-1078782de5b7
status: experimental
status: test
description: Detects remote RPC calls to read information about scheduled tasks via SASec
references:
- https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: AWS EC2 Startup Shell Script Change
id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df
status: experimental
status: test
description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ec2__startup_shell_script/main.py#L9
Expand Down
2 changes: 1 addition & 1 deletion rules/cloud/aws/cloudtrail/aws_ec2_vm_export_failure.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: AWS EC2 VM Export Failure
id: 54b9a76a-3c71-4673-b4b3-2edb4566ea7b
status: experimental
status: test
description: An attempt to export an AWS EC2 instance has been detected. A VM Export might indicate an attempt to extract information from an instance.
references:
- https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: AWS Glue Development Endpoint Activity
id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
status: experimental
status: test
description: Detects possible suspicious glue development endpoint activity.
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: AWS RDS Master Password Change
id: 8a63cdd4-6207-414a-85bc-7e032bd3c1a2
status: experimental
status: test
description: Detects the change of database master password. It may be a part of data exfiltration.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/rds__explore_snapshots/main.py
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Application Gateway Modified or Deleted
id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
status: experimental
status: test
description: Identifies when a application gateway is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Application Security Group Modified or Deleted
id: 835747f1-9329-40b5-9cc3-97d465754ce6
status: experimental
status: test
description: Identifies when a application security group is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
status: experimental
status: test
description: Detects when a Container Registry is created or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure DNS Zone Modified or Deleted
id: af6925b0-8826-47f1-9324-337507a0babd
status: experimental
status: test
description: Identifies when DNS zone is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Firewall Modified or Deleted
id: 512cf937-ea9b-4332-939c-4c2c94baadcd
status: experimental
status: test
description: Identifies when a firewall is created, modified, or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Firewall Rule Collection Modified or Deleted
id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
status: experimental
status: test
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
status: experimental
status: test
description: Identifies when a Keyvault Key is modified or deleted in Azure.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Key Vault Modified or Deleted
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
status: experimental
status: test
description: Identifies when a key vault is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
status: experimental
status: test
description: Identifies when secrets are modified or deleted in Azure.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes Admission Controller
id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
status: experimental
status: test
description: |
Identifies when an admission controller is executed in Azure Kubernetes.
A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
status: experimental
status: test
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes CronJob
id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a
status: experimental
status: test
description: |
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate.
Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
status: experimental
status: test
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
status: experimental
status: test
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
status: experimental
status: test
description: Identifies the deletion of Azure Kubernetes Pods.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
status: experimental
status: test
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
status: experimental
status: test
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
status: experimental
status: test
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
status: experimental
status: test
description: Identifies when a service account is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Network Firewall Policy Modified or Deleted
id: 83c17918-746e-4bd9-920b-8e098bf88c23
status: experimental
status: test
description: Identifies when a Firewall Policy is Modified or Deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Firewall Rule Configuration Modified or Deleted
id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067
status: experimental
status: test
description: Identifies when a Firewall Rule Configuration is Modified or Deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Point-to-site VPN Modified or Deleted
id: d9557b75-267b-4b43-922f-a775e2d1f792
status: experimental
status: test
description: Identifies when a Point-to-site VPN is Modified or Deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Network Security Configuration Modified or Deleted
id: d22b4df4-5a67-4859-a578-8c9a0b5af9df
status: experimental
status: test
description: Identifies when a network security configuration is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
title: Azure Virtual Network Device Modified or Deleted
id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
status: experimental
status: test
description: |
Identifies when a virtual network device is being modified or deleted.
This can be a network interface, network virtual appliance, virtual hub, or virtual router.
Identifies when a virtual network device is being modified or deleted.
This can be a network interface, network virtual appliance, virtual hub, or virtual router.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure New CloudShell Created
id: 72af37e2-ec32-47dc-992b-bc288a2708cb
status: experimental
status: test
description: Identifies when a new cloudshell is created inside of Azure portal.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: experimental
status: test
description: |
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Suppression Rule Created
id: 92cc3e5d-eb57-419d-8c16-5c63f325a401
status: experimental
status: test
description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure Virtual Network Modified or Deleted
id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f
status: experimental
status: test
description: Identifies when a Virtual Network is modified or deleted in Azure.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Azure VPN Connection Modified or Deleted
id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3
status: experimental
status: test
description: Identifies when a VPN connection is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: CA Policy Removed by Non Approved Actor
id: 26e7c5e2-6545-481e-b7e6-050143459635
status: experimental
status: test
description: Monitor and alert on conditional access changes where non approved actor removed CA Policy.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: CA Policy Updated by Non Approved Actor
id: 50a3c7aa-ec29-44a4-92c1-fce229eef6fc
status: experimental
status: test
description: Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure#conditional-access
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: New CA Policy by Non-approved Actor
id: 0922467f-db53-4348-b7bf-dee8d0d348c6
status: experimental
status: test
description: Monitor and alert on conditional access changes.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-infrastructure
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Account Created And Deleted Within A Close Time Frame
id: 6f583da0-3a90-4566-a4ed-83c09fe18bbf
status: experimental
status: test
description: Detects when an account was created and deleted in a short period of time.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Bitlocker Key Retrieval
id: a0413867-daf3-43dd-9245-734b3a787942
status: experimental
status: test
description: Monitor and alert for Bitlocker key retrieval.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#bitlocker-key-retrieval
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Changes to Device Registration Policy
id: 9494bff8-959f-4440-bbce-fb87a208d517
status: experimental
status: test
description: Monitor and alert for changes to the device registration policy.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Guest Users Invited To Tenant By Non Approved Inviters
id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865
status: experimental
status: test
description: Detects guest users being invited to tenant by non-approved inviters
references:
- https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Users Added to Global or Device Admin Roles
id: 11c767ae-500b-423b-bae3-b234450736ed
status: experimental
status: test
description: Monitor and alert for users added to device admin roles.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
title: Application AppID Uri Configuration Changes
id: 1b45b0d1-773f-4f23-aedc-814b759563b1
status: experimental
status: test
description: Detects when a configuration change is made to an applications AppID URI.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-applications#appid-uri-added-modified-or-removed
Expand Down
Loading

0 comments on commit 020fc80

Please sign in to comment.