-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updated orca-security_tests for sample indentation
- Loading branch information
1 parent
45bb226
commit 1e987e7
Showing
1 changed file
with
2 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,5 @@ | ||
| id: "orca-security" | ||
| tests: | ||
| - | ||
| sample: "{\n \"group_val\": \"nongroup\",\n \"asset_type_string\": \"AwsKmsKey\",\n \"data\": \n {\n \"mitre_category\": \"collection\",\n \"recommendation\": \"It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys.\",\n \"details\": \"It was found that {AwsKmsKey} is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.\",\n \"mitre_techniques\": [\"Data from Information Repositories (T1213)\"],\n \"title\": \"KMS CMK schedule deletion\",\n \"remediation_console\": [\n \">1. Open the AWS KMS console at **[KMS console](https://console.aws.amazon.com/kms/)**.\",\n \">2. Select the desired AWS Region by using the Region selector in the upper-right corner of the page.\",\n \">3. In the left navigation pane, select **Customer managed keys**.\",\n \">4. Select the desired KMS key that you want to recover.\",\n \">5. Click Key actions drop down menu and then, select **Cancel key deletion**.\",\n ],\n \"mitre_technique\": [\"Data from Information Repositories (T1213)\"],\n },\n \"alert_labels\": [\"mitre: collection\"],\n \"is_compliance\": False,\n \"group_type_string\": \"NonGroup\",\n \"related_compliances\": \n [\n \"AWS Foundational Security Best Practices\",\n \"CCPA\",\n \"CJIS (Criminal Justice Information Services)\",\n \"CMMC (Cybersecurity Maturity Model Certification) Level 2\",\n \"COPPA (Children’s Online Privacy Protection)\",\n \"CPRA (California Privacy Rights Act)\",\n \"DORA (Digital Operational Resilience Act)\",\n \"FFIEC (Federal Financial Institutions Examination Council)\",\n \"FedRAMP\",\n \"HIPAA\",\n \"HITRUST Level 1\",\n \"HITRUST Level 2\",\n \"HITRUST Level 3\",\n \"ISM (Australian Government Information Security Manual) September 2022\",\n \"ISMS-P (Personal information & Information Security Management System)\",\n \"ISO 27001 2013\",\n \"ISO 27001 2022\",\n \"ISO 27002 2022\",\n \"LGPD (Brazilian General Data Protection)\",\n \"MITRE ATT&CK v12\",\n \"MITRE ATT&CK v13\",\n \"MPA (Motion Picture Association) v5\",\n \"NIS (Network and Information Security) v2\",\n \"NIST 800-171 (Rev 2)\",\n \"NIST 800-171 (Rev 3)\",\n \"NIST 800-172\",\n \"NIST 800-53 (Rev 5.1.1)\",\n \"NZISM\",\n \"Orca Best Practices\",\n \"PDPA (Personal Data Protection Act)\",\n \"PDPO (Personal Data Privacy Ordinance)\",\n \"PIPEDA (Personal Information Protection and Electronic Documents Act)\",\n \"RBI (Reserve Bank of India)\",\n \"SOC 2\",\n \"TISAX VDA\",\n \"UK Cyber Essentials\",\n ],\n \"recommendation\": \"It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys.\",\n \"description\": \"KMS CMK schedule deletion\",\n \"source\": \"alias/JAY_ODS\",\n \"group_type\": \"AwsKmsKey\",\n \"cluster_type\": \"AwsKmsKey\",\n \"type\": \"aws_kms_cmk_pending_deletion\",\n \"group_unique_id\": \"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91\",\n \"cloud_account_id\": \"f77d16af-0f52-44e8-9496-d1c9bd46d930\",\n \"score\": \"normal\",\n \"hostname\": \"alias/JAY_ODS\",\n \"type_string\": \"KMS CMK schedule deletion\",\n \"asset_name\": \"alias/JAY_ODS\",\n \"account_name\": \"cds-avataar\",\n \"alert_source\": \"Orca Scan\",\n \"context\": \"control\",\n \"asset_type\": \"AwsKmsKey\",\n \"details\": \"It was found that alias/JAY_ODS is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.\",\n \"state\": \n {\n \"severity\": \"informational\",\n \"rule_source\": \"Orca\",\n \"last_updated\": \"2024-11-20T16:17:40+00:00\",\n \"last_seen\": \"2024-11-19T15:28:57+00:00\",\n \"low_since\": \"2024-11-13T16:07:48+00:00\",\n \"created_at\": \"2024-11-13T15:21:12+00:00\",\n \"closed_time\": \"2024-11-20T16:17:40+00:00\",\n \"score\": 4,\n \"risk_level\": \"informational\",\n \"orca_score\": 1.8,\n \"alert_id\": \"orca-5903\",\n \"closed_reason\": \"asset deleted\",\n \"status_time\": \"2024-11-20T16:17:40+00:00\",\n \"status\": \"closed\",\n },\n \"rule_query\": \"AwsKmsKey with KeyState = 'PendingDeletion'\",\n \"cluster_unique_id\": \"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91\",\n \"cluster_name\": \"alias/JAY_ODS\",\n \"subject_type\": \"AwsKmsKey\",\n \"group_name\": \"alias/JAY_ODS\",\n \"level\": 0,\n \"tags_info_list\": [\"ODS|JAY\"],\n \"is_rule\": True,\n \"cloud_provider\": \"aws\",\n \"organization_name\": \"test\",\n \"cloud_vendor_id\": \"748335378900\",\n \"type_key\": \"ad59fd836bc225b159dcfbf413191c77\",\n \"rule_id\": \"r4c1559f2e0\",\n \"asset_category\": \"Encryption and Secrets\",\n \"asset_state\": \"enabled\",\n \"service\": \"Orca Alerts\",\n \"asset_tags_info_list\": [\"ODS|JAY\"],\n \"asset_unique_id\": \"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91\",\n \"cloud_provider_id\": \"748335378900\",\n \"category\": \"Data protection\",\n \"cloud_account_type\": \"Regular\",\n \"asset_vendor_id\": \"arn:aws:kms:us-east-1:748335378900:key/afcaa647-4393-4a29-b869-0c97914a1773\",\n}" | ||
| result: | ||
| custom: {} | ||
| message: "{\n \"group_val\": \"nongroup\",\n \"asset_type_string\": \"AwsKmsKey\",\n \"data\": \n {\n \"mitre_category\": \"collection\",\n \"recommendation\": \"It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys.\",\n \"details\": \"It was found that {AwsKmsKey} is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.\",\n \"mitre_techniques\": [\"Data from Information Repositories (T1213)\"],\n \"title\": \"KMS CMK schedule deletion\",\n \"remediation_console\": [\n \">1. Open the AWS KMS console at **[KMS console](https://console.aws.amazon.com/kms/)**.\",\n \">2. Select the desired AWS Region by using the Region selector in the upper-right corner of the page.\",\n \">3. In the left navigation pane, select **Customer managed keys**.\",\n \">4. Select the desired KMS key that you want to recover.\",\n \">5. Click Key actions drop down menu and then, select **Cancel key deletion**.\",\n ],\n \"mitre_technique\": [\"Data from Information Repositories (T1213)\"],\n },\n \"alert_labels\": [\"mitre: collection\"],\n \"is_compliance\": False,\n \"group_type_string\": \"NonGroup\",\n \"related_compliances\": \n [\n \"AWS Foundational Security Best Practices\",\n \"CCPA\",\n \"CJIS (Criminal Justice Information Services)\",\n \"CMMC (Cybersecurity Maturity Model Certification) Level 2\",\n \"COPPA (Children’s Online Privacy Protection)\",\n \"CPRA (California Privacy Rights Act)\",\n \"DORA (Digital Operational Resilience Act)\",\n \"FFIEC (Federal Financial Institutions Examination Council)\",\n \"FedRAMP\",\n \"HIPAA\",\n \"HITRUST Level 1\",\n \"HITRUST Level 2\",\n \"HITRUST Level 3\",\n \"ISM (Australian Government Information Security Manual) September 2022\",\n \"ISMS-P (Personal information & Information Security Management System)\",\n \"ISO 27001 2013\",\n \"ISO 27001 2022\",\n \"ISO 27002 2022\",\n \"LGPD (Brazilian General Data Protection)\",\n \"MITRE ATT&CK v12\",\n \"MITRE ATT&CK v13\",\n \"MPA (Motion Picture Association) v5\",\n \"NIS (Network and Information Security) v2\",\n \"NIST 800-171 (Rev 2)\",\n \"NIST 800-171 (Rev 3)\",\n \"NIST 800-172\",\n \"NIST 800-53 (Rev 5.1.1)\",\n \"NZISM\",\n \"Orca Best Practices\",\n \"PDPA (Personal Data Protection Act)\",\n \"PDPO (Personal Data Privacy Ordinance)\",\n \"PIPEDA (Personal Information Protection and Electronic Documents Act)\",\n \"RBI (Reserve Bank of India)\",\n \"SOC 2\",\n \"TISAX VDA\",\n \"UK Cyber Essentials\",\n ],\n \"recommendation\": \"It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys.\",\n \"description\": \"KMS CMK schedule deletion\",\n \"source\": \"alias/JAY_ODS\",\n \"group_type\": \"AwsKmsKey\",\n \"cluster_type\": \"AwsKmsKey\",\n \"type\": \"aws_kms_cmk_pending_deletion\",\n \"group_unique_id\": \"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91\",\n \"cloud_account_id\": \"f77d16af-0f52-44e8-9496-d1c9bd46d930\",\n \"score\": \"normal\",\n \"hostname\": \"alias/JAY_ODS\",\n \"type_string\": \"KMS CMK schedule deletion\",\n \"asset_name\": \"alias/JAY_ODS\",\n \"account_name\": \"cds-avataar\",\n \"alert_source\": \"Orca Scan\",\n \"context\": \"control\",\n \"asset_type\": \"AwsKmsKey\",\n \"details\": \"It was found that alias/JAY_ODS is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.\",\n \"state\": \n {\n \"severity\": \"informational\",\n \"rule_source\": \"Orca\",\n \"last_updated\": \"2024-11-20T16:17:40+00:00\",\n \"last_seen\": \"2024-11-19T15:28:57+00:00\",\n \"low_since\": \"2024-11-13T16:07:48+00:00\",\n \"created_at\": \"2024-11-13T15:21:12+00:00\",\n \"closed_time\": \"2024-11-20T16:17:40+00:00\",\n \"score\": 4,\n \"risk_level\": \"informational\",\n \"orca_score\": 1.8,\n \"alert_id\": \"orca-5903\",\n \"closed_reason\": \"asset deleted\",\n \"status_time\": \"2024-11-20T16:17:40+00:00\",\n \"status\": \"closed\",\n },\n \"rule_query\": \"AwsKmsKey with KeyState = 'PendingDeletion'\",\n \"cluster_unique_id\": \"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91\",\n \"cluster_name\": \"alias/JAY_ODS\",\n \"subject_type\": \"AwsKmsKey\",\n \"group_name\": \"alias/JAY_ODS\",\n \"level\": 0,\n \"tags_info_list\": [\"ODS|JAY\"],\n \"is_rule\": True,\n \"cloud_provider\": \"aws\",\n \"organization_name\": \"test\",\n \"cloud_vendor_id\": \"748335378900\",\n \"type_key\": \"ad59fd836bc225b159dcfbf413191c77\",\n \"rule_id\": \"r4c1559f2e0\",\n \"asset_category\": \"Encryption and Secrets\",\n \"asset_state\": \"enabled\",\n \"service\": \"Orca Alerts\",\n \"asset_tags_info_list\": [\"ODS|JAY\"],\n \"asset_unique_id\": \"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91\",\n \"cloud_provider_id\": \"748335378900\",\n \"category\": \"Data protection\",\n \"cloud_account_type\": \"Regular\",\n \"asset_vendor_id\": \"arn:aws:kms:us-east-1:748335378900:key/afcaa647-4393-4a29-b869-0c97914a1773\",\n}" | ||
| tags: | ||
| - "source:LOGS_SOURCE" | ||
| timestamp: 1 | ||
| sample: {"group_val":"nongroup","asset_type_string":"AwsKmsKey","data":{"mitre_category":"collection","recommendation":"It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys.","details":"It was found that {AwsKmsKey} is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.","mitre_techniques":["Data from Information Repositories (T1213)"],"title":"KMS CMK schedule deletion","remediation_console":[">1. Open the AWS KMS console at **[KMS console](https://console.aws.amazon.com/kms/)**.",">2. Select the desired AWS Region by using the Region selector in the upper-right corner of the page.",">3. In the left navigation pane, select **Customer managed keys**.",">4. Select the desired KMS key that you want to recover.",">5. Click Key actions drop down menu and then, select **Cancel key deletion**."],"mitre_technique":["Data from Information Repositories (T1213)"]},"alert_labels":["mitre: collection"],"is_compliance":"False","group_type_string":"NonGroup","related_compliances":["AWS Foundational Security Best Practices","CCPA","CJIS (Criminal Justice Information Services)","CMMC (Cybersecurity Maturity Model Certification) Level 2","COPPA (Children’s Online Privacy Protection)","CPRA (California Privacy Rights Act)","DORA (Digital Operational Resilience Act)","FFIEC (Federal Financial Institutions Examination Council)","FedRAMP","HIPAA","HITRUST Level 1","HITRUST Level 2","HITRUST Level 3","ISM (Australian Government Information Security Manual) September 2022","ISMS-P (Personal information & Information Security Management System)","ISO 27001 2013","ISO 27001 2022","ISO 27002 2022","LGPD (Brazilian General Data Protection)","MITRE ATT&CK v12","MITRE ATT&CK v13","MPA (Motion Picture Association) v5","NIS (Network and Information Security) v2","NIST 800-171 (Rev 2)","NIST 800-171 (Rev 3)","NIST 800-172","NIST 800-53 (Rev 5.1.1)","NZISM","Orca Best Practices","PDPA (Personal Data Protection Act)","PDPO (Personal Data Privacy Ordinance)","PIPEDA (Personal Information Protection and Electronic Documents Act)","RBI (Reserve Bank of India)","SOC 2","TISAX VDA","UK Cyber Essentials"],"recommendation":"It is recommended to verify the CMK which have been scheduled for deletion in order to avoid loss of data encrypted with those keys.","description":"KMS CMK schedule deletion","source":"alias/JAY_ODS","group_type":"AwsKmsKey","cluster_type":"AwsKmsKey","type":"aws_kms_cmk_pending_deletion","group_unique_id":"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91","cloud_account_id":"f77d16af-0f52-44e8-9496-d1c9bd46d930","score":"normal","hostname":"alias/JAY_ODS","type_string":"KMS CMK schedule deletion","asset_name":"alias/JAY_ODS","account_name":"cds-avataar","alert_source":"Orca Scan","context":"control","asset_type":"AwsKmsKey","details":"It was found that alias/JAY_ODS is pending deletion. Identify and recover any KMS Customer Master Keys (CMK) scheduled for deletion.","state":{"severity":"informational","rule_source":"Orca","last_updated":"2024-11-20T16:17:40+00:00","last_seen":"2024-11-19T15:28:57+00:00","low_since":"2024-11-13T16:07:48+00:00","created_at":"2024-11-13T15:21:12+00:00","closed_time":"2024-11-20T16:17:40+00:00","score":4,"risk_level":"informational","orca_score":1.8,"alert_id":"orca-5903","closed_reason":"asset deleted","status_time":"2024-11-20T16:17:40+00:00","status":"closed"},"rule_query":"AwsKmsKey with KeyState = 'PendingDeletion'","cluster_unique_id":"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91","cluster_name":"alias/JAY_ODS","subject_type":"AwsKmsKey","group_name":"alias/JAY_ODS","level":0,"tags_info_list":["ODS|JAY"],"is_rule":"True","cloud_provider":"aws","organization_name":"test","cloud_vendor_id":"748335378900","type_key":"ad59fd836bc225b159dcfbf413191c77","rule_id":"r4c1559f2e0","asset_category":"Encryption and Secrets","asset_state":"enabled","service":"Orca Alerts","asset_tags_info_list":["ODS|JAY"],"asset_unique_id":"AwsKmsKey_748335378900_5832f325-2adb-3211-7d8c-2bd9a4829e91","cloud_provider_id":"748335378900","category":"Data protection","cloud_account_type":"Regular","asset_vendor_id":"arn:aws:kms:us-east-1:748335378900:key/afcaa647-4393-4a29-b869-0c97914a1773"} | ||
| result: null |