From 492236bc60ee14416706a84148d5a71497323b7e Mon Sep 17 00:00:00 2001 From: Subhobrata Dey Date: Tue, 10 Jan 2023 17:38:54 -0800 Subject: [PATCH] add mapping fixes (#264) Signed-off-by: Subhobrata Dey --- src/main/resources/OSMapping/cloudtrail/fieldmappings.yml | 6 +++--- src/main/resources/OSMapping/linux/mappings.json | 2 +- ...ure_aad_secops_signin_failure_bad_password_threshold.yml | 2 +- .../rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml | 2 +- .../ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml | 2 +- .../rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml | 2 +- .../azure_ad_device_registration_or_join_without_mfa.yml | 2 +- .../ad_ldap/azure_ad_device_registration_policy_changes.yml | 2 +- .../ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml | 2 +- .../ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml | 2 +- .../rules/ad_ldap/azure_ad_user_added_to_admin_role.yml | 2 +- .../ad_ldap/azure_ad_users_added_to_device_admin_roles.yml | 2 +- src/main/resources/rules/ad_ldap/win_ldap_recon.yml | 2 +- .../rules/cloudtrail/aws_s3_data_management_tampering.yml | 2 +- .../rules/windows/builtin/system/win_sample_rule.yml | 6 +++--- 15 files changed, 19 insertions(+), 19 deletions(-) diff --git a/src/main/resources/OSMapping/cloudtrail/fieldmappings.yml b/src/main/resources/OSMapping/cloudtrail/fieldmappings.yml index a4540f117..eb6350d9e 100644 --- a/src/main/resources/OSMapping/cloudtrail/fieldmappings.yml +++ b/src/main/resources/OSMapping/cloudtrail/fieldmappings.yml @@ -4,7 +4,7 @@ fieldmappings: requestParameters.arn: aws-cloudtrail-requestParameters-arn requestParameters.attribute: aws-cloudtrail-requestParameters-attribute requestParameters.userName: aws-cloudtrail-requestParameters-userName - requestParameters.containerDefinitions.command: aws-cloudtrail-requestParameters-container-definitions-command - userIdentity.sessionContext.sessionIssuer.type: aws-cloudtrail-userIdentity-sessionContext-session_issuer-type + requestParameters.containerDefinitions.command: aws-cloudtrail-requestParameters-containerDefinitions-command + userIdentity.sessionContext.sessionIssuer.type: userIdentity-sessionContext-sessionIssuer-type userIdentity.type: aws-cloudtrail-userIdentity-type - userIdentity.arn: aws-cloudtrail-userIdentity-type \ No newline at end of file + userIdentity.arn: aws-cloudtrail-userIdentity-arn \ No newline at end of file diff --git a/src/main/resources/OSMapping/linux/mappings.json b/src/main/resources/OSMapping/linux/mappings.json index bff2b5649..5bbc47276 100644 --- a/src/main/resources/OSMapping/linux/mappings.json +++ b/src/main/resources/OSMapping/linux/mappings.json @@ -47,6 +47,6 @@ "process-real_user-id": { "path": "process.real_user.id", "type": "alias" - }, + } } } \ No newline at end of file diff --git a/src/main/resources/rules/ad_ldap/azure_aad_secops_signin_failure_bad_password_threshold.yml b/src/main/resources/rules/ad_ldap/azure_aad_secops_signin_failure_bad_password_threshold.yml index a914ca337..c34e90a3e 100644 --- a/src/main/resources/rules/ad_ldap/azure_aad_secops_signin_failure_bad_password_threshold.yml +++ b/src/main/resources/rules/ad_ldap/azure_aad_secops_signin_failure_bad_password_threshold.yml @@ -1,5 +1,5 @@ title: Sign-in Failure Bad Password Threshold -id: dff74231-dbed-42ab-ba49-83289be2ac3a +id: dff74231-dbed-42ab-ba49-84289be2ac3a description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. author: Corissa Koopmans, '@corissalea' date: 2022/04/21 diff --git a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml index 8088ce3d7..9e8562774 100644 --- a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml +++ b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_new_server.yml @@ -1,5 +1,5 @@ title: Azure Active Directory Hybrid Health AD FS New Server -id: 288a39fc-4914-4831-9ada-270e9dc12cb4 +id: 287a39fc-4914-4831-9ada-270e9dc12cb4 description: | This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server. diff --git a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml index 6fc97a25f..c325d3d38 100644 --- a/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml +++ b/src/main/resources/rules/ad_ldap/azure_aadhybridhealth_adfs_service_delete.yml @@ -1,5 +1,5 @@ title: Azure Active Directory Hybrid Health AD FS Service Delete -id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff +id: 48739819-8230-4de3-a8ea-e0289d1fb0ff description: | This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. diff --git a/src/main/resources/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml b/src/main/resources/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml index e203e67b7..d999c4a67 100644 --- a/src/main/resources/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml +++ b/src/main/resources/rules/ad_ldap/azure_ad_bitlocker_key_retrieval.yml @@ -1,5 +1,5 @@ title: Bitlocker Key Retrieval -id: a0413867-daf3-43dd-9245-734b3a787942 +id: a0413867-daf3-43dd-9255-734b3a787942 description: Monitor and alert for Bitlocker key retrieval. author: Michael Epping, '@mepples21' date: 2022/06/28 diff --git a/src/main/resources/rules/ad_ldap/azure_ad_device_registration_or_join_without_mfa.yml b/src/main/resources/rules/ad_ldap/azure_ad_device_registration_or_join_without_mfa.yml index 23c3582cb..65917ece4 100644 --- a/src/main/resources/rules/ad_ldap/azure_ad_device_registration_or_join_without_mfa.yml +++ b/src/main/resources/rules/ad_ldap/azure_ad_device_registration_or_join_without_mfa.yml @@ -1,5 +1,5 @@ title: Device Registration or Join Without MFA -id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 +id: 5afa454e-030c-4ab4-9253-a90aa7fac581 description: Monitor and alert for device registration or join events where MFA was not performed. author: Michael Epping, '@mepples21' date: 2022/06/28 diff --git a/src/main/resources/rules/ad_ldap/azure_ad_device_registration_policy_changes.yml b/src/main/resources/rules/ad_ldap/azure_ad_device_registration_policy_changes.yml index e4c8d8555..08da8a3af 100644 --- a/src/main/resources/rules/ad_ldap/azure_ad_device_registration_policy_changes.yml +++ b/src/main/resources/rules/ad_ldap/azure_ad_device_registration_policy_changes.yml @@ -1,5 +1,5 @@ title: Changes to Device Registration Policy -id: 9494bff8-959f-4440-bbce-fb87a208d517 +id: 9494bff8-959f-4440-abce-fb87a208d517 description: Monitor and alert for changes to the device registration policy. author: Michael Epping, '@mepples21' date: 2022/06/28 diff --git a/src/main/resources/rules/ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml b/src/main/resources/rules/ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml index 45003d427..e5a0e7198 100644 --- a/src/main/resources/rules/ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/src/main/resources/rules/ad_ldap/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -1,5 +1,5 @@ title: Sign-ins from Non-Compliant Devices -id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284 +id: 4f77e1d7-3972-4ee0-8489-abf2d6b75284 description: Monitor and alert for sign-ins where the device was non-compliant. author: Michael Epping, '@mepples21' date: 2022/06/28 diff --git a/src/main/resources/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml b/src/main/resources/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml index 59e6ad2f1..db67bb1ea 100644 --- a/src/main/resources/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml +++ b/src/main/resources/rules/ad_ldap/azure_ad_sign_ins_from_unknown_devices.yml @@ -1,5 +1,5 @@ title: Sign-ins by Unknown Devices -id: 4d136857-6a1a-432a-82fc-5dd497ee5e7c +id: 4d136857-6a1a-432a-82ec-5dd497ee5e7c description: Monitor and alert for Sign-ins by unknown devices from non-Trusted locations. author: Michael Epping, '@mepples21' date: 2022/06/28 diff --git a/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml b/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml index c85eeffd0..39896aa3e 100644 --- a/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml +++ b/src/main/resources/rules/ad_ldap/azure_ad_user_added_to_admin_role.yml @@ -1,5 +1,5 @@ title: User Added to an Administrator's Azure AD Role -id: ebbeb024-5b1d-4e16-9c0c-917f86c708a7 +id: ebbeb024-5b1d-4e16-9c1c-917f86c708a7 description: User Added to an Administrator's Azure AD Role author: Raphaƫl CALVET, @MetallicHack date: 2021/10/04 diff --git a/src/main/resources/rules/ad_ldap/azure_ad_users_added_to_device_admin_roles.yml b/src/main/resources/rules/ad_ldap/azure_ad_users_added_to_device_admin_roles.yml index 0c3140549..0a211a1c8 100644 --- a/src/main/resources/rules/ad_ldap/azure_ad_users_added_to_device_admin_roles.yml +++ b/src/main/resources/rules/ad_ldap/azure_ad_users_added_to_device_admin_roles.yml @@ -1,5 +1,5 @@ title: Users Added to Global or Device Admin Roles -id: 11c767ae-500b-423b-bae3-b234450736ed +id: 11c767ae-500b-423b-bae3-b244450736ed description: Monitor and alert for users added to device admin roles. author: Michael Epping, '@mepples21' date: 2022/06/28 diff --git a/src/main/resources/rules/ad_ldap/win_ldap_recon.yml b/src/main/resources/rules/ad_ldap/win_ldap_recon.yml index e0a9559dd..d5ccf9620 100644 --- a/src/main/resources/rules/ad_ldap/win_ldap_recon.yml +++ b/src/main/resources/rules/ad_ldap/win_ldap_recon.yml @@ -1,5 +1,5 @@ title: LDAP Reconnaissance / Active Directory Enumeration -id: 31d68132-4038-47c7-8f8e-635a39a7c174 +id: 31d68132-4038-47c7-8f8d-635a39a7c174 status: experimental description: Detects possible Active Directory enumeration via LDAP author: Adeem Mawani diff --git a/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml b/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml index 13e21a4bc..2080b16d0 100644 --- a/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml +++ b/src/main/resources/rules/cloudtrail/aws_s3_data_management_tampering.yml @@ -1,5 +1,5 @@ title: AWS S3 Data Management Tampering -id: 78b3756a-7804-4ef7-8555-7b9024a02e2d +id: 78b3756a-7804-4ef7-8555-7b9024a02d2d description: Detects when a user tampers with S3 data management in Amazon Web Services. author: Austin Songer @austinsonger status: experimental diff --git a/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml b/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml index b38d74cc8..e0bb61e09 100644 --- a/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml +++ b/src/main/resources/rules/windows/builtin/system/win_sample_rule.yml @@ -16,9 +16,9 @@ logsource: service: system detection: selection: - EventID: 22 - Message|contains: 'C:\\Program Files\\nxlog\\nxlog.exe' - HostName|startswith: 'EC2AMAZ' + EventId: 22 + message|contains: 'C:\\Program Files\\nxlog\\nxlog.exe' + hostname|startswith: 'EC2AMAZ' condition: selection falsepositives: - Unknown \ No newline at end of file