Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Detection for Multi Cloud #8808

Merged
merged 48 commits into from
Sep 14, 2023
Merged

New Detection for Multi Cloud #8808

merged 48 commits into from
Sep 14, 2023

Conversation

4R9UN
Copy link
Contributor

@4R9UN 4R9UN commented Aug 18, 2023

The detection is centered around Azure and AWS cloud environments, with a primary focus on identifying activities related to IAAS resource abuse within both AWS and Azure cloud environments.

Required items, please complete

Change(s):

New Detection
Reason for Change(s):

Multi-cloud Detection creation
Version Updated:
-yes

Testing Completed:
-yes

@4R9UN
New Detection for Multi Cloud
275ebcf 
The detection is centered around Azure and AWS cloud environments, with a primary focus on identifying activities related to IAAS resource abuse within both AWS and Azure cloud environments.
@4R9UN 4R9UN requested review from a team as code owners August 18, 2023 05:07
4R9UN
4R9UN commented Aug 18, 2023
View reviewed changes
Copy link
Contributor Author

@4R9UN 4R9UN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fix KQL error

@4R9UN 4R9UN requested a review from petebryan August 18, 2023 05:43
@4R9UN
Copy link
Contributor Author

4R9UN commented Aug 18, 2023

@petebryan , Added Cross Cloud detection, kindly review.

@v-atulyadav v-atulyadav added the Detection Detection specialty review needed label Aug 18, 2023
4R9UN
4R9UN commented Aug 21, 2023
View reviewed changes
Copy link
Contributor Author

@4R9UN 4R9UN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

edit logic based on below reference

https://microsoft.visualstudio.com/WDATP/_git/InE.MtpCorrelationRules?path=/Detector/Kusto/Rules/AlertDetection/StreamingTrigger/MassVMScaleSetCreationGPU/query.kql&_a=contents&version=GBmaster

@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

4R9UN
4R9UN commented Aug 24, 2023
View reviewed changes
Copy link
Contributor Author

@4R9UN 4R9UN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Error Fix

petebryan
petebryan suggested changes Aug 30, 2023
View reviewed changes
Detections/MultipleDataSources/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml Show resolved Hide resolved
Detections/MultipleDataSources/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/ExtensiveAWSComputeResurseDeployements.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/UserImpersonateByRiskyUser.yaml Show resolved Hide resolved
Detections/MultipleDataSources/UserImpersonateByRiskyUser.yaml Show resolved Hide resolved
Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/UserImpersonateByAAID.yaml Show resolved Hide resolved
Detections/MultipleDataSources/UserImpersonateByRiskyUser.yaml Show resolved Hide resolved
@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@4R9UN
Update BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml
db323ed 
Update : 
-customDetails
- enabled Logic for both platform (AWS or Azure)
@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@4R9UN
Update and rename ExtensiveAWSComputeResurseDeployements.yaml to Susp…
4db19e8 
…iciousAWSEC2ComputeResourceDeployments

Update- 
-Changed Title
-added customDetails
-slight change in detection logic
@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@4R9UN
Update and rename SucessfullPosswordSprayAttampOnAWSConsolelogin.yaml…
00e813d 
… to SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray.yaml

-Name and Title Changed
-Timing logic changed
@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

4R9UN
4R9UN commented Sep 7, 2023
View reviewed changes
Copy link
Contributor Author

@4R9UN 4R9UN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Error Fix

@4R9UN
Copy link
Contributor Author

4R9UN commented Sep 7, 2023

@petebryan, I have updated 2 more detections for AWSGurdduty to the Azure portal login, kindly review.

petebryan
petebryan suggested changes Sep 7, 2023
View reviewed changes
Detections/MultipleDataSources/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/CrossCloudUnauthorizedCredentialsAccessDetection.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/CrossCloudUnauthorizedCredentialsAccessDetection.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/SuspiciousAWSCLICommandExecution.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/SuspiciousAWSEC2ComputeResourceDeployments.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/Unauthorized_user_access_across_AWS_and_Azure.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/Unauthorized_user_access_across_AWS_and_Azure.yaml Outdated Show resolved Hide resolved
Detections/MultipleDataSources/CrossCloudUnauthorizedCredentialsAccessDetection.yaml Outdated Show resolved Hide resolved
@4R9UN
Update BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml
c6b282a 
Accepted suggested logic 

| where (AWSFailedEventsCount >= 4 and AzureFailedEventsCount >= 5) and ((AzureSuccessfuleventsCount >= 1 and AzureFailedEvent > AzureSuccessfulEvent) or (AWSSuccessfuleventsCount >= 1 and AWSFailedEventsCount > AWSSuccessfuleventsCount))
@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2023

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2023

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2023

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@4R9UN
Added New Detection for AWS cloud Shell execution
ffc5ff1 
Added New Detection for AWS cloud Shell execution
@4R9UN 4R9UN requested a review from a team as a code owner September 8, 2023 13:11
@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2023

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

4R9UN
4R9UN commented Sep 8, 2023
View reviewed changes
Copy link
Contributor Author

@4R9UN 4R9UN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated all the changes

@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2023

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 8, 2023

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

@github-actions
Copy link
Contributor

Hello how are you I am GitHub bot
😀😀
I see that you changed templates under the detections/analytic rules folder. Did you remember to update the version of the templates you changed?
If not, and if you want customers to be aware that a new version of this template is available, please update the version property of the template you changed.

4R9UN
4R9UN commented Sep 14, 2023
View reviewed changes
Copy link
Contributor Author

@4R9UN 4R9UN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update files based on suggestions.

@petebryan petebryan merged commit fc0fca4 into master Sep 14, 2023
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stesell stesell stesell left review comments

@petebryan petebryan petebryan approved these changes

Assignees

@petebryan petebryan

@v-rbajaj v-rbajaj

Labels
Detection Detection specialty review needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@4R9UN @petebryan @stesell @v-atulyadav @v-rbajaj