Closed terrancedejesus closed 1 month ago
These guidelines serve as a reminder set of considerations when proposing a new rule.
creation_date
matches the date of creation PR initially merged.min_stack_version
should support the widest stack versions.name
and description
should be descriptive and not include typos.query
should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json
if not available in an integration.min_stack_comments
and min_stack_version
should be included if the rule is only compatible starting from a specific stack version.index
pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).integration
should align with the index
. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml
template are updated.setup
should include the necessary steps to configure the integration.note
should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).tags
should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS
in the definitions.py file.threat
, techniques
, and subtechniques
should map to ATT&CK always if possible.building_block_type
should be included if the rule is a building block and the rule should be located in the rules_building_block
folder.bypass_bbr_timing
should be included if adding custom lookback timing to the rule.This seems to be a bug, making this a blocker.
FAILED tests/test_specific_rules.py::TestNewTerms::test_new_terms_fields - AssertionError: aws.cloudtrail.flattened.request_parameters.roleArn not found in ECS, Beats, or non-ecs schemas
Pull Request
Issue link(s):
Summary - What I changed
Per conversation with @aarju, the following AWS OOTB rules had room for improvement.
AWS Security Token Service (STS) AssumeRole Usage
->AWS STS Temporary Credentials via AssumeRole
AWS SAML Activity
->AWS IAM SAML Provider Updated
For
AWS Security Token Service (STS) AssumeRole Usage
, we changed this rule from a custom KQL query to New Terms. The new terms values will focus solely onuser.id
andaws.cloudtrail.flattened.request_parameters.roleArn
for uniqueness. It was pointed out that false-positives may occur for environments with third-party IdPs. This remains true for automation workflows as well. New terms should ignore common benign temporary creds retrieved for specific users and roles that are commonly assumed. Additionally, rather than separateAssumeRole
andAssumeRoleWithSAML
, we added*
to account for any assumed role activity. Based on global alert telemetry, we have assumed role activity from various sources (SAML via IdP, web identity, pod identity, etc.) Withuser.id: *
added to the query, this field must exist but only exists for assumed role activity where an IAM user is involved, thus ignoring some automated workflows.For
AWS SAML Activity
, this rule originally seemed to capture multiple SAML authentication workflow activity that may or may not have been related to each other, based on the API calls reported inevent.action
. As a result,AssumeRoleWithSAML
will be covered inAWS STS Temporary Credentials via AssumeRole
. This rule now only detects when the IAM SAML provider has had metadata modification. We also increased the risk score associated with this as the result of a true-positive could have higher consequences. Note that this update reduces alerts to ~82 within the last 4 months globally.Additional Information:
aws.cloudtrail.flattened.request_parameters.roleArn
tonon-ecs.json
as it does not exist in AWS schema we build locallyHow To Test
AWS IAM SAML Provider Updated
AWS STS Temporary Credentials via AssumeRole
This is more difficult to test as it is new terms. Instead, knowing that the user ID is used for New Terms regarding AWS IAM and STS events, we can confidently assume lower alert volume or false-positives. There are ~502 unique user.ids for global telemetry from ~8000 alerts in the last 120 days, therefore, this should reduce these.
Checklist
bug
,enhancement
,Rule: New
,Rule: Deprecation
,Rule: Promote
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hoursContributor checklist