Aws mitre t1606 #646
Aws mitre t1606 #646
Conversation
| @@ -0,0 +1,117 @@ | |||
| from datetime import datetime, timedelta | |||
There was a problem hiding this comment.
we should implement this as more portable vs re-implementing/copying the evaluation used in the okta improbable login.
There was a problem hiding this comment.
Nate and I had this conversation and think we should have an anomalous helper.
There was a problem hiding this comment.
Hey @edyesed I totally agree. I would like to update our global helpers to include:
- DynamoDB -
put_dictionary()andget_dictionary(), that would handle serializing and de-serializing dictionaries and putting/getting them from DynamoDB. These would alleviate the string set-to-dict conversions that are implemented in several detections that use DynamoDB stateful caching - Distance calculation with Lat/Long values -
haversine_distance()
Would that be something I could work up in its own PR?
There was a problem hiding this comment.
absolutely something that you can work up into its own PR 👍
Also agree that the distance calculation belongs out in the helpers. This is a valuable technique we can apply to lots of different logtypes 💯
There was a problem hiding this comment.
Just notating this as completed.
|
|
||
| PANTHER_TIME_FORMAT = "%Y-%m-%d %H:%M:%S" | ||
|
|
||
| AUTH_EVENTS = [ |
There was a problem hiding this comment.
we should probably increase scope to ConsoleLogin, though unlike the other eventNames it is not in sso.amazonaws.com eventSource
| @@ -0,0 +1,382 @@ | |||
| AnalysisType: rule | |||
| Description: Monitor for creation of access tokens | |||
There was a problem hiding this comment.
This detection is computing improbable travel and description mentions creating access tokens.
|
|
||
| def title(event): | ||
| return ( | ||
| f"User [{deep_get(event, 'userIdentity', 'principalId')}] " |
There was a problem hiding this comment.
this title should say something about impossible travel
|
|
||
| def rule(event): | ||
| # Filter: Non-S3 events | ||
| if event.get("eventSource") != "s3.amazonaws.com": |
There was a problem hiding this comment.
the eventNames from lines 26-44 always return False from line 51
|
|
||
| def title(event): | ||
| return ( | ||
| f"User [{deep_get(event, 'userIdentity', 'principalId')}] " |
There was a problem hiding this comment.
please use userIdentity.arn
| def title(event): | ||
| return ( | ||
| f"User [{deep_get(event, 'userIdentity', 'principalId')}] " | ||
| f"performed a [{event.get('eventName')}] " |
There was a problem hiding this comment.
I know we haven't historically included the Threshold in the title, and I'm wondering if it makes sense to say that the actor has already done N number of these items.
| Reference: https://attack.mitre.org/techniques/T1518/001/ | ||
| Reports: | ||
| MITRE ATT&CK: | ||
| - T1518:T1518.001 |
There was a problem hiding this comment.
my understanding is that the web UI doesn't handle subtechniques.
I think this will need to be TAxxxx:Txxxx
| Reference: https://attack.mitre.org/techniques/T1213/003/ | ||
| Reports: | ||
| MITRE ATT&CK: | ||
| - T1213 |
There was a problem hiding this comment.
This needs to be format TAxxxx:Txxxx
| Reference: https://attack.mitre.org/tactics/TA0009/ | ||
| Reports: | ||
| MITRE ATT&CK: | ||
| - TA0009 |
Background
Adding aws mitre t1606 to Odin detections.