Skip to content

Commit

Permalink
add mapping fixes (opensearch-project#264)
Browse files Browse the repository at this point in the history
Signed-off-by: Subhobrata Dey <sbcd90@gmail.com>
  • Loading branch information
sbcd90 authored and eirsep committed Apr 3, 2023
1 parent 77c98d7 commit 492236b
Show file tree
Hide file tree
Showing 15 changed files with 19 additions and 19 deletions.
6 changes: 3 additions & 3 deletions src/main/resources/OSMapping/cloudtrail/fieldmappings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ fieldmappings:
requestParameters.arn: aws-cloudtrail-requestParameters-arn
requestParameters.attribute: aws-cloudtrail-requestParameters-attribute
requestParameters.userName: aws-cloudtrail-requestParameters-userName
requestParameters.containerDefinitions.command: aws-cloudtrail-requestParameters-container-definitions-command
userIdentity.sessionContext.sessionIssuer.type: aws-cloudtrail-userIdentity-sessionContext-session_issuer-type
requestParameters.containerDefinitions.command: aws-cloudtrail-requestParameters-containerDefinitions-command
userIdentity.sessionContext.sessionIssuer.type: userIdentity-sessionContext-sessionIssuer-type
userIdentity.type: aws-cloudtrail-userIdentity-type
userIdentity.arn: aws-cloudtrail-userIdentity-type
userIdentity.arn: aws-cloudtrail-userIdentity-arn
2 changes: 1 addition & 1 deletion src/main/resources/OSMapping/linux/mappings.json
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,6 @@
"process-real_user-id": {
"path": "process.real_user.id",
"type": "alias"
},
}
}
}
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Sign-in Failure Bad Password Threshold
id: dff74231-dbed-42ab-ba49-83289be2ac3a
id: dff74231-dbed-42ab-ba49-84289be2ac3a
description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
author: Corissa Koopmans, '@corissalea'
date: 2022/04/21
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
id: 287a39fc-4914-4831-9ada-270e9dc12cb4
description: |
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
id: 48739819-8230-4de3-a8ea-e0289d1fb0ff
description: |
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Bitlocker Key Retrieval
id: a0413867-daf3-43dd-9245-734b3a787942
id: a0413867-daf3-43dd-9255-734b3a787942
description: Monitor and alert for Bitlocker key retrieval.
author: Michael Epping, '@mepples21'
date: 2022/06/28
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Device Registration or Join Without MFA
id: 5afa454e-030c-4ab4-9253-a90aa7fcc581
id: 5afa454e-030c-4ab4-9253-a90aa7fac581
description: Monitor and alert for device registration or join events where MFA was not performed.
author: Michael Epping, '@mepples21'
date: 2022/06/28
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Changes to Device Registration Policy
id: 9494bff8-959f-4440-bbce-fb87a208d517
id: 9494bff8-959f-4440-abce-fb87a208d517
description: Monitor and alert for changes to the device registration policy.
author: Michael Epping, '@mepples21'
date: 2022/06/28
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Sign-ins from Non-Compliant Devices
id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284
id: 4f77e1d7-3972-4ee0-8489-abf2d6b75284
description: Monitor and alert for sign-ins where the device was non-compliant.
author: Michael Epping, '@mepples21'
date: 2022/06/28
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Sign-ins by Unknown Devices
id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c
id: 4d136857-6a1a-432a-82ec-5dd497ee5e7c
description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.
author: Michael Epping, '@mepples21'
date: 2022/06/28
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: User Added to an Administrator's Azure AD Role
id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7
id: ebbeb024-5b1d-4e16-9c1c-917f86c708a7
description: User Added to an Administrator's Azure AD Role
author: Raphaël CALVET, @MetallicHack
date: 2021/10/04
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: Users Added to Global or Device Admin Roles
id: 11c767ae-500b-423b-bae3-b234450736ed
id: 11c767ae-500b-423b-bae3-b244450736ed
description: Monitor and alert for users added to device admin roles.
author: Michael Epping, '@mepples21'
date: 2022/06/28
Expand Down
2 changes: 1 addition & 1 deletion src/main/resources/rules/ad_ldap/win_ldap_recon.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: LDAP Reconnaissance / Active Directory Enumeration
id: 31d68132-4038-47c7-8f8e-635a39a7c174
id: 31d68132-4038-47c7-8f8d-635a39a7c174
status: experimental
description: Detects possible Active Directory enumeration via LDAP
author: Adeem Mawani
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
title: AWS S3 Data Management Tampering
id: 78b3756a-7804-4ef7-8555-7b9024a02e2d
id: 78b3756a-7804-4ef7-8555-7b9024a02d2d
description: Detects when a user tampers with S3 data management in Amazon Web Services.
author: Austin Songer @austinsonger
status: experimental
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ logsource:
service: system
detection:
selection:
EventID: 22
Message|contains: 'C:\\Program Files\\nxlog\\nxlog.exe'
HostName|startswith: 'EC2AMAZ'
EventId: 22
message|contains: 'C:\\Program Files\\nxlog\\nxlog.exe'
hostname|startswith: 'EC2AMAZ'
condition: selection
falsepositives:
- Unknown

0 comments on commit 492236b

Please sign in to comment.