From f0ab897f99eeb28f86387b2e43f611bb3aad6da5 Mon Sep 17 00:00:00 2001 From: Isai <59296946+imays11@users.noreply.github.com> Date: Thu, 11 Jul 2024 12:49:03 -0400 Subject: [PATCH] [Rule Tunings] AWS Administrator Access Policy Attached Rules (#3867) * [Tuning] AWS Administrator Access Policy Attached Rules * change lookback to prevent overlap * changed from to now-6m --- ...iam_administratoraccess_policy_attached_to_group.toml} | 8 +++----- ..._iam_administratoraccess_policy_attached_to_role.toml} | 8 +++----- ..._iam_administratoraccess_policy_attached_to_user.toml} | 8 +++----- 3 files changed, 9 insertions(+), 15 deletions(-) rename rules/integrations/aws/{privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml => privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml} (94%) rename rules/integrations/aws/{privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml => privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml} (94%) rename rules/integrations/aws/{privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml => privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml} (94%) diff --git a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml similarity index 94% rename from rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml index 7f5365aceef..2282733cf22 100644 --- a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_group.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml @@ -2,8 +2,8 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2024/05/31" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" +updated_date = "2024/07/05" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13." min_stack_version = "8.13.0" [rule] @@ -21,7 +21,7 @@ false_positives = [ to attach the `AdministratorAccess` policy to the user group. """, ] -from = "now-10m" +from = "now-6m" language = "esql" license = "Elastic License v2" name = "AWS IAM AdministratorAccess Policy Attached to Group" @@ -104,8 +104,6 @@ from logs-aws.cloudtrail-* | where event.provider == "iam.amazonaws.com" and event.action == "AttachGroupPolicy" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}" | where policyName == "AdministratorAccess" -| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, group.name, user_agent.original, source.address, source.geo.location -| sort aws.cloudtrail.user_identity.arn ''' diff --git a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml similarity index 94% rename from rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml index 33fb26d5528..315b25f19fe 100644 --- a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_role.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml @@ -2,8 +2,8 @@ creation_date = "2024/05/31" integration = ["aws"] maturity = "production" -updated_date = "2024/05/31" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" +updated_date = "2024/07/05" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13." min_stack_version = "8.13.0" [rule] @@ -20,7 +20,7 @@ false_positives = [ to attach the `AdministratorAccess` policy to the target role. """, ] -from = "now-10m" +from = "now-6m" language = "esql" license = "Elastic License v2" name = "AWS IAM AdministratorAccess Policy Attached to Role" @@ -103,8 +103,6 @@ from logs-aws.cloudtrail-* | where event.provider == "iam.amazonaws.com" and event.action == "AttachRolePolicy" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}" | where policyName == "AdministratorAccess" -| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, role.name, user_agent.original, source.address, source.geo.location -| sort aws.cloudtrail.user_identity.arn ''' diff --git a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml similarity index 94% rename from rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml rename to rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml index 2fd2baff48f..f1702a82a24 100644 --- a/rules/integrations/aws/privilege_escalation_aws_iam_administratoraccess_policy_attached_to_user.toml +++ b/rules/integrations/aws/privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml @@ -2,8 +2,8 @@ creation_date = "2024/05/30" integration = ["aws"] maturity = "production" -updated_date = "2024/05/30" -min_stack_comments = "ES|QL rule type is still in technical preview as of 8.13, however this rule was tested successfully" +updated_date = "2024/07/05" +min_stack_comments = "ES|QL rule type in technical preview as of 8.13." min_stack_version = "8.13.0" [rule] @@ -20,7 +20,7 @@ false_positives = [ to attach the `AdministratorAccess` policy to the target user. """, ] -from = "now-10m" +from = "now-6m" language = "esql" license = "Elastic License v2" name = "AWS IAM AdministratorAccess Policy Attached to User" @@ -103,8 +103,6 @@ from logs-aws.cloudtrail-* | where event.provider == "iam.amazonaws.com" and event.action == "AttachUserPolicy" and event.outcome == "success" | dissect aws.cloudtrail.request_parameters "{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}" | where policyName == "AdministratorAccess" -| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, target.userName, user_agent.original, source.address, source.geo.location -| sort aws.cloudtrail.user_identity.arn '''