Merge pull request #10206 from Azure/v-prasadboke-aws

Hyperlinks corrected for AWS

Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToRDSDatabase.yaml

@@ -4,7 +4,7 @@ description: |
   'Amazon Relational Database Service (RDS) is scalable relational database in the cloud.
   If your organization have one or more AWS RDS Databases running, monitoring changes to especially internet facing AWS RDS (Relational Database Service)
   Once alerts triggered, validate if changes observed are authorized and adhere to change control policy.
-  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
+  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 
   and RDS API Reference Docs: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Operations.html'
 severity: Low
 status: Available
@@ -47,5 +47,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Amazon Web Services/Analytic Rules/AWS_ChangeToVPC.yaml

@@ -4,7 +4,7 @@ description: |
   'Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources
   in a virtual network that you define.
   This identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.
-  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
+  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 
   and AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html'
 severity: Low
 status : Available
@@ -50,5 +50,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled

Solutions/Amazon Web Services/Analytic Rules/AWS_ClearStopChangeTrailLogs.yaml

@@ -3,9 +3,9 @@ name: Changes made to AWS CloudTrail logs
 description: |
   'Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity.
   This alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.
-  More Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html
-  AWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html
-  AWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html '
+  More Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html 
+  AWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html 
+  AWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html ' 
 severity: Low
 status: Available
 requiredDataConnectors:
@@ -46,5 +46,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Amazon Web Services/Analytic Rules/AWS_CredentialHijack.yaml

@@ -4,7 +4,7 @@ description: |
   'Looking for GetCallerIdentity Events where the UserID Type is AssumedRole
   An attacker who has assumed the role of a legitimate account can call the GetCallerIdentity function to determine what account they are using.
   A legitimate user using legitimate credentials would not need to call GetCallerIdentity since they should already know what account they are using.
-  More Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws
+  More Information: https://duo.com/decipher/trailblazer-hunts-compromised-credentials-in-aws 
   AWS STS GetCallerIdentity API: https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html '
 severity: Low
 status: Available
@@ -48,5 +48,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Amazon Web Services/Analytic Rules/AWS_FullAdminPolicyAttachedToRolesUsersGroups.yaml

@@ -4,7 +4,7 @@ description: |
   'Identity and Access Management (IAM) securely manages access to AWS services and resources. 
   Identifies when a policy is created with Full Administrators Access (Allow-Action:*,Resource:*). 
   This policy can be attached to role,user or group and may be used by an adversary to escalate a normal user privileges to an adminsitrative level.
-  AWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html
+  AWS IAM Policy Grammar: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html 
   and AWS IAM API at https://docs.aws.amazon.com/IAM/latest/APIReference/API_Operations.html'
 severity: Medium
 status: Available
@@ -80,5 +80,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Amazon Web Services/Analytic Rules/AWS_GuardDuty_template.yaml

@@ -14,10 +14,10 @@ triggerThreshold: 0
 tactics: []
 relevantTechniques: []
 query: |
-  // https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
+  // https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html 
   AWSGuardDuty 
   // Parse the finding
-  // https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html
+  // https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-format.html 
   // Example: "ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.DetectionMechanism!Artifact"
   | extend findingTokens = split(ActivityType, ":")
   | extend ThreatPurpose=findingTokens[0], findingTokens=split(findingTokens[1], "/")
@@ -34,19 +34,19 @@ query: |
         "Unknown"
       )
   // Pull out any available resource details we can extract entities from. These may not exist in the alert.
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Resource.html
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsDbUserDetails.html
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesDetails.html
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Resource.html 
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html 
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsDbUserDetails.html 
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesDetails.html 
   | extend AccessKeyDetails=ResourceDetails.accessKeyDetails
   | extend RdsDbUserDetails=ResourceDetails.rdsDbUserDetails
   | extend KubernetesDetails=ResourceDetails.kubernetesDetails
   // Pull out any available action details we can extract entities from. These may not exist in the alert.
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Action.html
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_NetworkConnectionAction.html
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsLoginAttemptAction.html
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_Action.html 
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html 
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html 
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_NetworkConnectionAction.html 
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RdsLoginAttemptAction.html 
   | extend ServiceAction = 
       case(
         isnotempty(ServiceDetails.action.awsApiCallAction), ServiceDetails.action.awsApiCallAction,
@@ -56,24 +56,24 @@ query: |
         dynamic(null)
       )
   // The IPv4 remote address of the connection
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteIpDetails.html
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteIpDetails.html 
   // or
   // The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint 
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_KubernetesApiCallAction.html 
   | extend RemoteIpAddress = 
       coalesce(
         tostring(ServiceAction.remoteIpDetails.ipAddressV4),
         tostring(parse_json(ServiceAction.sourceIPs)[0])
       )
   // The IPv4 local address of the connection
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_LocalIpDetails.html
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_LocalIpDetails.html 
   | extend LocalIpAddress = ServiceAction.localIpDetails.ipAddressV4
   // The AWS account ID of the remote API caller.
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteAccountDetails.html
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AwsApiCallAction.html 
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_RemoteAccountDetails.html 
   | extend RemoteAWSAccountId = ServiceAction.remoteAccountDetails.accountId
   // The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding
-  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html
+  // https://docs.aws.amazon.com/guardduty/latest/APIReference/API_AccessKeyDetails.html 
   | extend AccountUpn = 
       case(
         AccessKeyDetails.userType == "IAMUser", AccessKeyDetails.userName,
@@ -148,4 +148,4 @@ alertDetailsOverride:
   alertTacticsColumnName: ThreatPurpose
   alertSeverityColumnName: Severity
 kind: Scheduled
-version: 1.0.5
+version: 1.0.6

Solutions/Amazon Web Services/Analytic Rules/AWS_IngressEgressSecurityGroupChange.yaml

@@ -3,7 +3,7 @@ name: Changes to AWS Security Group ingress and egress settings
 description: |
   'A Security Group acts as a virtual firewall of an instance to control inbound and outbound traffic.
    Hence, ingress and egress settings changes to AWS Security Group should be monitored as these can expose the enviornment to new attack vectors.
-  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255.'
+  More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255. '
 severity: Low
 status: Available
 requiredDataConnectors:
@@ -47,5 +47,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Amazon Web Services/Analytic Rules/AWS_LoadBalancerSecGroupChange.yaml

@@ -3,8 +3,8 @@ name: Changes to AWS Elastic Load Balancer security groups
 description: |
   'Elastic Load Balancer distributes incoming traffic across multiple instances in multiple availability Zones. This increases the fault tolerance of your applications.
    Unwanted changes to Elastic Load Balancer specific security groups could open your environment to attack and  hence needs monitoring.
-   More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255
-   and https://aws.amazon.com/elasticloadbalancing/.'
+   More information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 
+   and https://aws.amazon.com/elasticloadbalancing/. '
 severity: Low
 status: Available
 requiredDataConnectors:
@@ -48,5 +48,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled

Solutions/Amazon Web Services/Analytic Rules/AWS_LogTampering.yaml

@@ -3,8 +3,8 @@ name: Changes made to AWS CloudTrail logs
 description: |
   'Attackers often try to hide their steps by deleting or stopping the collection of logs that could show their activity. 
   This alert identifies any manipulation of AWS CloudTrail, Cloudwatch/EventBridge or VPC Flow logs.
-  More Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html
-  AWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html
+  More Information: AWS CloudTrail API: https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_Operations.html 
+  AWS Cloudwatch/Eventbridge API: https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_Operations.html 
   AWS DelteteFlowLogs API : https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html '
 severity: High
 status: Available
@@ -43,5 +43,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: SourceIpAddress
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Amazon Web Services/Hunting Queries/AWS_IAM_PrivilegeEscalationbyAttachment.yaml

@@ -4,8 +4,8 @@ description: |
   'An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start.
   Identifies when existing role is removed and new/existing high privileged role is added to instance profile. 
   Any instance with this instance profile attached is able to perform privileged operations.
-  AWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
-  and CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/iam_privesc_by_attachment'
+  AWS Instance Profile: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html 
+  and CloudGoat - IAM PrivilegeEscalation by Attachment: https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/iam_privesc_by_attachment '
 requiredDataConnectors:
   - connectorId: AWS
     dataTypes:

Solutions/Amazon Web Services/Hunting Queries/AWS_PrivilegedRoleAttachedToInstance.yaml

@@ -3,7 +3,7 @@ name: Privileged role attached to Instance
 description: |
   'Identity and Access Management (IAM) securely manages access to AWS services and resources. 
   Identifies when a Privileged role is attached to an existing instance or new instance at deployment. This instance may be used by an adversary to escalate a normal user privileges to an adminsitrative level.
-  and AWS API AddRoleToInstanceProfile at https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html'
+  and AWS API AddRoleToInstanceProfile at https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddRoleToInstanceProfile.html '
 requiredDataConnectors:
   - connectorId: AWS
     dataTypes: