diff --git a/Solutions/Amazon Web Services/Hunting Queries/AWS_FailedBruteForceS3Bucket.yaml b/Solutions/Amazon Web Services/Hunting Queries/AWS_FailedBruteForceS3Bucket.yaml
index 833339bc61a..0c2cc03f5eb 100644
--- a/Solutions/Amazon Web Services/Hunting Queries/AWS_FailedBruteForceS3Bucket.yaml
+++ b/Solutions/Amazon Web Services/Hunting Queries/AWS_FailedBruteForceS3Bucket.yaml
@@ -13,7 +13,7 @@ relevantTechniques:
- T1619
query: |
AWSCloudTrail
- | where EventName == "GetObject" and isempty(ErrorCode) and isempty(ErrorMessage)
+ | where EventName == "GetObject" and not(isempty(ErrorCode) and isempty(ErrorMessage))
| where UserIdentityAccountId == "ANONYMOUS_PRINCIPAL" or UserIdentityAccessKeyId <> RecipientAccountId
| extend bucketName = tostring(parse_json(RequestParameters).bucketName), keyName = tostring(parse_json(RequestParameters).key)
| summarize arg_max(TimeGenerated, *), failed_attempts = dcount(keyName) by UserIdentityAccountId, SourceIpAddress, bucketName
@@ -28,4 +28,4 @@ entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
- columnName: IPCustomEntity
\ No newline at end of file
+ columnName: IPCustomEntity
diff --git a/Solutions/Amazon Web Services/Package/3.0.3.zip b/Solutions/Amazon Web Services/Package/3.0.3.zip
new file mode 100644
index 00000000000..4b20b22652d
Binary files /dev/null and b/Solutions/Amazon Web Services/Package/3.0.3.zip differ
diff --git a/Solutions/Amazon Web Services/Package/createUiDefinition.json b/Solutions/Amazon Web Services/Package/createUiDefinition.json
index e9ca4148d66..dada45f0859 100644
--- a/Solutions/Amazon Web Services/Package/createUiDefinition.json
+++ b/Solutions/Amazon Web Services/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Aws.svg\")
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Amazon%20Web%20Services/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch.\n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 57, **Hunting Queries:** 36\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Amazon%20Web%20Services/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Amazon Web Services solution for Microsoft Sentinel allows you to enable Security monitoring of AWS services by allowing ingestion of logs from the AWS CloudTrail platform, VPC Flow Logs, AWS GuardDuty and AWS CloudWatch. \n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 57, **Hunting Queries:** 36\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -180,7 +180,7 @@
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\nin a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html"
+ "text": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html"
}
}
]
@@ -222,7 +222,7 @@
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful."
+ "text": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful."
}
}
]
@@ -292,7 +292,7 @@
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful."
+ "text": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful."
}
}
]
diff --git a/Solutions/Amazon Web Services/Package/mainTemplate.json b/Solutions/Amazon Web Services/Package/mainTemplate.json
index c76d0f6c6ed..df0b1b7b912 100644
--- a/Solutions/Amazon Web Services/Package/mainTemplate.json
+++ b/Solutions/Amazon Web Services/Package/mainTemplate.json
@@ -47,7 +47,7 @@
},
"variables": {
"_solutionName": "Amazon Web Services",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.0.3",
"solutionId": "azuresentinel.azure-sentinel-solution-amazonwebservices",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "AWS",
@@ -89,11 +89,11 @@
"_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8c2ef238-67a0-497d-b1dd-5c8a0f533e25','-', '1.0.3')))]"
},
"analyticRuleObject2": {
- "analyticRuleVersion2": "1.0.4",
+ "analyticRuleVersion2": "1.0.5",
"_analyticRulecontentId2": "65360bb0-8986-4ade-a89d-af3cf44d28aa",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '65360bb0-8986-4ade-a89d-af3cf44d28aa')]",
"analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('65360bb0-8986-4ade-a89d-af3cf44d28aa')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','65360bb0-8986-4ade-a89d-af3cf44d28aa','-', '1.0.4')))]"
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','65360bb0-8986-4ade-a89d-af3cf44d28aa','-', '1.0.5')))]"
},
"analyticRuleObject3": {
"analyticRuleVersion3": "1.0.3",
@@ -110,11 +110,11 @@
"_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','093fe75e-44f1-4d3e-94dc-6d258a6dd2d2','-', '1.0.0')))]"
},
"analyticRuleObject5": {
- "analyticRuleVersion5": "1.0.4",
+ "analyticRuleVersion5": "1.0.5",
"_analyticRulecontentId5": "d25b1998-a592-4bc5-8a3a-92b39eedb1bc",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd25b1998-a592-4bc5-8a3a-92b39eedb1bc')]",
"analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d25b1998-a592-4bc5-8a3a-92b39eedb1bc')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d25b1998-a592-4bc5-8a3a-92b39eedb1bc','-', '1.0.4')))]"
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d25b1998-a592-4bc5-8a3a-92b39eedb1bc','-', '1.0.5')))]"
},
"analyticRuleObject6": {
"analyticRuleVersion6": "1.0.3",
@@ -145,11 +145,11 @@
"_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c7bfadd4-34a6-4fa5-82f8-3691a32261e8','-', '1.0.3')))]"
},
"analyticRuleObject10": {
- "analyticRuleVersion10": "1.0.2",
+ "analyticRuleVersion10": "1.0.3",
"_analyticRulecontentId10": "0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b",
"analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b')]",
"analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b','-', '1.0.2')))]"
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0ee2aafb-4500-4e36-bcb1-e90eec2f0b9b','-', '1.0.3')))]"
},
"analyticRuleObject11": {
"analyticRuleVersion11": "1.0.6",
@@ -672,7 +672,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Amazon Web Services data connector with template version 3.0.2",
+ "description": "Amazon Web Services data connector with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -829,7 +829,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Amazon Web Services data connector with template version 3.0.2",
+ "description": "Amazon Web Services data connector with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -1251,7 +1251,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AmazonWebServicesNetworkActivities Workbook with template version 3.0.2",
+ "description": "AmazonWebServicesNetworkActivities Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -1338,7 +1338,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AmazonWebServicesUserActivities Workbook with template version 3.0.2",
+ "description": "AmazonWebServicesUserActivities Workbook with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion2')]",
@@ -1425,7 +1425,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ChangeToRDSDatabase_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_ChangeToRDSDatabase_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -1453,16 +1453,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -1473,7 +1473,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -1487,16 +1486,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1551,7 +1551,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ChangeToVPC_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_ChangeToVPC_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -1565,7 +1565,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources\nin a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html",
+ "description": "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.\nThis identifies changes to Amazon VPC (Virtual Private Cloud) settings such as new ACL entries,routes, routetable or Gateways.\nMore information: https://medium.com/@GorillaStack/the-most-important-aws-cloudtrail-security-events-to-track-a5b9873f8255 \nand AWS VPC API Docs: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/OperationList-query-vpc.html",
"displayName": "Changes to Amazon VPC settings",
"enabled": false,
"query": "let EventNameList = dynamic([\"CreateNetworkAclEntry\",\"CreateRoute\",\"CreateRouteTable\",\"CreateInternetGateway\",\"CreateNatGateway\"]);\nAWSCloudTrail\n| where EventName in~ (EventNameList)\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource, AdditionalEventData, ResponseElements\n| extend timestamp = StartTimeUtc\n",
@@ -1579,16 +1579,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -1601,7 +1601,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -1615,16 +1614,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1679,7 +1679,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ClearStopChangeTrailLogs_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_ClearStopChangeTrailLogs_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]",
@@ -1707,16 +1707,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -1724,7 +1724,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -1738,16 +1737,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1802,7 +1802,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ConfigServiceResourceDeletion_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_ConfigServiceResourceDeletion_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]",
@@ -1830,16 +1830,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -1854,7 +1854,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -1868,16 +1867,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -1932,7 +1932,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]",
@@ -1946,7 +1946,7 @@
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.",
+ "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.",
"displayName": "Login to AWS Management Console without MFA",
"enabled": false,
"query": "AWSCloudTrail\n| where EventName =~ \"ConsoleLogin\"\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin), indexId = indexof(tostring(UserIdentityPrincipalid),\":\")\n| where MFAUsed !~ \"Yes\" and LoginResult !~ \"Failure\"\n| where SessionIssuerUserName !contains \"AWSReservedSSO\"\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, indexId\n| extend timestamp = StartTimeUtc\n",
@@ -1960,16 +1960,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -1983,7 +1983,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -1997,16 +1996,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2061,7 +2061,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CredentialHijack_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CredentialHijack_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]",
@@ -2089,16 +2089,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -2109,7 +2109,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -2123,16 +2122,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2187,7 +2187,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_FullAdminPolicyAttachedToRolesUsersGroups_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_FullAdminPolicyAttachedToRolesUsersGroups_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]",
@@ -2215,16 +2215,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -2232,7 +2232,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -2246,16 +2245,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2310,7 +2310,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IngressEgressSecurityGroupChange_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_IngressEgressSecurityGroupChange_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]",
@@ -2338,16 +2338,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -2358,7 +2358,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -2372,16 +2371,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2436,7 +2436,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LoadBalancerSecGroupChange_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_LoadBalancerSecGroupChange_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]",
@@ -2464,16 +2464,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -2484,7 +2484,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -2498,16 +2497,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2562,7 +2562,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "NRT_AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "NRT_AWS_ConsoleLogonWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]",
@@ -2576,7 +2576,7 @@
"kind": "NRT",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used\nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.",
+ "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this detection to trigger for administrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used and the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.",
"displayName": "NRT Login to AWS Management Console without MFA",
"enabled": false,
"query": "AWSCloudTrail\n| where EventName =~ \"ConsoleLogin\"\n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\n| where MFAUsed !~ \"Yes\" and LoginResult !~ \"Failure\"\n| where SessionIssuerUserName !contains \"AWSReservedSSO\"\n| extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn)\n| extend UserName = tostring(split(UserIdentityArn, '/')[-1])\n| extend AccountName = case( UserIdentityPrincipalid == \"Anonymous\", \"Anonymous\", isempty(UserIdentityUserName), UserName, UserIdentityUserName)\n| extend AccountName = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 0)[0]), AccountName),\n AccountUPNSuffix = iif(AccountName contains \"@\", tostring(split(AccountName, '@', 1)[0]), \"\")\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUsed, RecipientAccountId, AccountName, AccountUPNSuffix, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent,\n UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\n",
@@ -2586,16 +2586,16 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
},
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"tactics": [
@@ -2609,7 +2609,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -2623,16 +2622,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2687,7 +2687,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_GuardDuty_template_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_GuardDuty_template_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]",
@@ -2715,15 +2715,14 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWSS3",
"dataTypes": [
"AWSGuardDuty"
- ],
- "connectorId": "AWSS3"
+ ]
}
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -2737,48 +2736,49 @@
"columnName": "RemoteAWSAccountId",
"identifier": "ObjectGuid"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "RemoteIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "LocalIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
},
{
- "entityType": "URL",
"fieldMappings": [
{
"columnName": "FindingLink",
"identifier": "Url"
}
- ]
+ ],
+ "entityType": "URL"
}
],
"customDetails": {
- "ThreatFamilyName": "ThreatFamilyName",
+ "ResourceTypeAffected": "ResourceTypeAffected",
"Artifact": "Artifact",
"ThreatPurpose": "ThreatPurpose",
- "ResourceTypeAffected": "ResourceTypeAffected",
+ "ThreatFamilyName": "ThreatFamilyName",
"DetectionMechanism": "DetectionMechanism"
},
"alertDetailsOverride": {
"alertTacticsColumnName": "ThreatPurpose",
"alertDescriptionFormat": "{{Description}}",
- "alertSeverityColumnName": "Severity",
- "alertDisplayNameFormat": "{{Title}}"
+ "alertDisplayNameFormat": "{{Title}}",
+ "alertSeverityColumnName": "Severity"
}
}
},
@@ -2832,7 +2832,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ECRContainerHigh_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_ECRContainerHigh_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]",
@@ -2860,10 +2860,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -2874,7 +2874,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -2888,16 +2887,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -2952,7 +2952,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SuspiciousCommandEC2_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_SuspiciousCommandEC2_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]",
@@ -2980,10 +2980,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -2994,7 +2994,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3008,16 +3007,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3072,7 +3072,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_APIfromTor_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_APIfromTor_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]",
@@ -3100,10 +3100,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -3114,7 +3114,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3128,16 +3127,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3192,7 +3192,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_GuardDutyDisabled_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_GuardDutyDisabled_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]",
@@ -3220,10 +3220,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -3234,7 +3234,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3248,16 +3247,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3312,7 +3312,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCloudFormationPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedCloudFormationPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]",
@@ -3340,10 +3340,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -3354,7 +3354,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3368,16 +3367,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3432,7 +3432,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCRUDDyanmoDBPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedCRUDDyanmoDBPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]",
@@ -3460,10 +3460,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -3474,7 +3474,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3488,16 +3487,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3552,7 +3552,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCRUDIAMtoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedCRUDIAMtoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]",
@@ -3580,10 +3580,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -3594,7 +3594,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3608,16 +3607,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3672,7 +3672,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCRUDKMSPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedCRUDKMSPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]",
@@ -3700,10 +3700,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -3714,7 +3714,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3728,16 +3727,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3792,7 +3792,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCRUDS3PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedCRUDS3PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]",
@@ -3820,10 +3820,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -3834,7 +3834,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3848,16 +3847,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -3912,7 +3912,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedCURDLambdaPolicytoPrivilegEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedCURDLambdaPolicytoPrivilegEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]",
@@ -3940,10 +3940,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -3954,7 +3954,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -3968,16 +3967,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4032,7 +4032,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedDataPipelinePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedDataPipelinePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]",
@@ -4060,10 +4060,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -4074,7 +4074,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -4088,16 +4087,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4152,7 +4152,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedEC2PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedEC2PolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]",
@@ -4180,10 +4180,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -4194,7 +4194,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -4208,16 +4207,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4272,7 +4272,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedGluePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedGluePolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]",
@@ -4300,10 +4300,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -4314,7 +4314,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -4328,16 +4327,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4392,7 +4392,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedLambdaPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedLambdaPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]",
@@ -4420,10 +4420,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -4434,7 +4434,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -4448,16 +4447,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4512,7 +4512,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreatedSSMPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreatedSSMPolicytoPrivilegeEscalation_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]",
@@ -4540,10 +4540,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -4554,7 +4554,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -4568,16 +4567,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4632,7 +4632,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreationofEncryptKeysWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_CreationofEncryptKeysWithoutMFA_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]",
@@ -4660,10 +4660,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -4674,7 +4674,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -4688,16 +4687,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4752,7 +4752,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ECRImageScanningDisabled_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_ECRImageScanningDisabled_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]",
@@ -4780,10 +4780,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -4794,7 +4794,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -4808,16 +4807,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4872,7 +4872,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LogTampering_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_LogTampering_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]",
@@ -4900,10 +4900,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -4911,7 +4911,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -4925,16 +4924,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -4989,7 +4989,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_NetworkACLOpenToAllPorts_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_NetworkACLOpenToAllPorts_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]",
@@ -5017,10 +5017,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5031,7 +5031,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -5045,16 +5044,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -5109,7 +5109,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_OverlyPermessiveKMS_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_OverlyPermessiveKMS_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]",
@@ -5137,10 +5137,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5151,7 +5151,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -5165,16 +5164,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -5229,7 +5229,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationAdministratorAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationAdministratorAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]",
@@ -5257,10 +5257,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5271,7 +5271,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -5285,16 +5284,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -5349,7 +5349,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationAdminManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationAdminManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]",
@@ -5377,10 +5377,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5391,7 +5391,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -5405,16 +5404,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -5469,7 +5469,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationFullAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationFullAccessManagedPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]",
@@ -5497,10 +5497,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5511,7 +5511,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -5525,16 +5524,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -5589,7 +5589,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCloudFormationPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaCloudFormationPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]",
@@ -5617,10 +5617,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5631,7 +5631,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -5645,16 +5644,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -5709,7 +5709,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationviaCRUDDynamoDB_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationviaCRUDDynamoDB_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]",
@@ -5737,10 +5737,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5751,7 +5751,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -5765,16 +5764,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -5829,7 +5829,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCRUDIAMPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaCRUDIAMPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]",
@@ -5857,10 +5857,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5871,7 +5871,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -5885,16 +5884,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -5949,7 +5949,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCRUDKMSPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaCRUDKMSPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]",
@@ -5977,10 +5977,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -5991,7 +5991,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6005,16 +6004,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -6069,7 +6069,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCRUDLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaCRUDLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]",
@@ -6097,10 +6097,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -6111,7 +6111,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6125,16 +6124,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -6189,7 +6189,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaCRUDS3Policy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaCRUDS3Policy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]",
@@ -6217,10 +6217,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -6231,7 +6231,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6245,16 +6244,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -6309,7 +6309,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaDataPipeline_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaDataPipeline_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]",
@@ -6337,10 +6337,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -6351,7 +6351,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6365,16 +6364,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -6429,7 +6429,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaEC2Policy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaEC2Policy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]",
@@ -6457,10 +6457,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -6471,7 +6471,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6485,16 +6484,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -6549,7 +6549,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaGluePolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaGluePolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]",
@@ -6577,10 +6577,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -6591,7 +6591,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6605,16 +6604,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -6669,7 +6669,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaLambdaPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]",
@@ -6697,10 +6697,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -6711,7 +6711,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6725,16 +6724,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -6789,7 +6789,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegeEscalationViaSSM_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_PrivilegeEscalationViaSSM_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]",
@@ -6817,10 +6817,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -6831,7 +6831,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6845,16 +6844,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -6909,7 +6909,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_RDSInstancePubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_RDSInstancePubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]",
@@ -6937,10 +6937,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -6951,7 +6951,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -6965,16 +6964,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7029,7 +7029,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BruteForce_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_S3BruteForce_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]",
@@ -7057,10 +7057,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -7071,7 +7071,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -7085,16 +7084,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7149,7 +7149,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketAccessPointExposed_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_S3BucketAccessPointExposed_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]",
@@ -7177,10 +7177,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -7191,7 +7191,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -7205,16 +7204,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7269,7 +7269,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketExposedviaACL_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_S3BucketExposedviaACL_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]",
@@ -7297,10 +7297,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -7311,7 +7311,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -7325,16 +7324,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7389,7 +7389,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketExposedviaPolicy_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_S3BucketExposedviaPolicy_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]",
@@ -7417,10 +7417,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -7431,7 +7431,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -7445,16 +7444,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7509,7 +7509,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3ObjectPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_S3ObjectPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]",
@@ -7537,10 +7537,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -7551,7 +7551,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -7565,16 +7564,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7629,7 +7629,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3Ransomware_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_S3Ransomware_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]",
@@ -7657,10 +7657,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -7671,7 +7671,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -7685,16 +7684,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7749,7 +7749,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SAMLUpdateIdentity_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_SAMLUpdateIdentity_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject53').analyticRuleVersion53]",
@@ -7777,10 +7777,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -7791,7 +7791,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -7805,16 +7804,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7869,7 +7869,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SetDefaulyPolicyVersion_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_SetDefaulyPolicyVersion_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject54').analyticRuleVersion54]",
@@ -7897,10 +7897,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -7911,7 +7911,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -7925,16 +7924,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -7989,7 +7989,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SSMPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "AWS_SSMPubliclyExposed_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject55').analyticRuleVersion55]",
@@ -8017,10 +8017,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -8031,7 +8031,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -8045,16 +8044,17 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
]
}
@@ -8109,7 +8109,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousAWSCLICommandExecution_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SuspiciousAWSCLICommandExecution_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject56').analyticRuleVersion56]",
@@ -8137,10 +8137,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -8162,7 +8162,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -8176,13 +8175,14 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
}
],
"customDetails": {
- "SuspiciousCommand": "commands",
"AWSUserIp": "SourceIpAddress",
- "AWSUser": "UserIdentityUserName"
+ "AWSUser": "UserIdentityUserName",
+ "SuspiciousCommand": "commands"
}
}
},
@@ -8236,7 +8236,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "SuspiciousAWSEC2ComputeResourceDeployments_AnalyticalRules Analytics Rule with template version 3.0.2",
+ "description": "SuspiciousAWSEC2ComputeResourceDeployments_AnalyticalRules Analytics Rule with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject57').analyticRuleVersion57]",
@@ -8264,10 +8264,10 @@
"status": "Available",
"requiredDataConnectors": [
{
+ "connectorId": "AWS",
"dataTypes": [
"AWSCloudTrail"
- ],
- "connectorId": "AWS"
+ ]
}
],
"tactics": [
@@ -8278,7 +8278,6 @@
],
"entityMappings": [
{
- "entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
@@ -8292,22 +8291,23 @@
"columnName": "RecipientAccountId",
"identifier": "CloudAppAccountId"
}
- ]
+ ],
+ "entityType": "Account"
},
{
- "entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
- ]
+ ],
+ "entityType": "IP"
}
],
"customDetails": {
- "SourceIpAddress": "SourceIpAddress",
+ "AWSUser": "UserIdentityArn",
"UserAgent": "UserAgent",
- "AWSUser": "UserIdentityArn"
+ "SourceIpAddress": "SourceIpAddress"
}
}
},
@@ -8361,7 +8361,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IAM_PolicyChange_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_IAM_PolicyChange_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]",
@@ -8445,7 +8445,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IAM_PrivilegeEscalationbyAttachment_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_IAM_PrivilegeEscalationbyAttachment_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]",
@@ -8529,7 +8529,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PrivilegedRoleAttachedToInstance_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_PrivilegedRoleAttachedToInstance_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]",
@@ -8613,7 +8613,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_SuspiciousCredentialTokenAccessOfValid_IAM_Roles_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]",
@@ -8697,7 +8697,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_Unused_UnsupportedCloudRegions_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_Unused_UnsupportedCloudRegions_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]",
@@ -8781,7 +8781,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_EC2_WithoutKeyPair_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_EC2_WithoutKeyPair_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]",
@@ -8865,7 +8865,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_AssumeRoleBruteForce_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_AssumeRoleBruteForce_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]",
@@ -8949,7 +8949,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_BucketVersioningSuspended_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_BucketVersioningSuspended_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]",
@@ -9033,7 +9033,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreateAccessKey_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_CreateAccessKey_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]",
@@ -9117,7 +9117,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_CreateLoginProfile_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_CreateLoginProfile_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]",
@@ -9201,7 +9201,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ECRContainerLow_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_ECRContainerLow_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]",
@@ -9285,7 +9285,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ECRContainerMedium_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_ECRContainerMedium_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]",
@@ -9369,7 +9369,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ExcessiveExecutionofDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_ExcessiveExecutionofDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]",
@@ -9453,7 +9453,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_FailedBruteForceS3Bucket_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_FailedBruteForceS3Bucket_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]",
@@ -9469,7 +9469,7 @@
"eTag": "*",
"displayName": "Failed brute force on S3 bucket",
"category": "Hunting Queries",
- "query": "AWSCloudTrail\n| where EventName == \"GetObject\" and isempty(ErrorCode) and isempty(ErrorMessage)\n| where UserIdentityAccountId == \"ANONYMOUS_PRINCIPAL\" or UserIdentityAccessKeyId <> RecipientAccountId\n| extend bucketName = tostring(parse_json(RequestParameters).bucketName), keyName = tostring(parse_json(RequestParameters).key)\n| summarize arg_max(TimeGenerated, *), failed_attempts = dcount(keyName) by UserIdentityAccountId, SourceIpAddress, bucketName\n| where failed_attempts > 20\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, bucketName\n",
+ "query": "AWSCloudTrail\n| where EventName == \"GetObject\" and not(isempty(ErrorCode) and isempty(ErrorMessage))\n| where UserIdentityAccountId == \"ANONYMOUS_PRINCIPAL\" or UserIdentityAccessKeyId <> RecipientAccountId\n| extend bucketName = tostring(parse_json(RequestParameters).bucketName), keyName = tostring(parse_json(RequestParameters).key)\n| summarize arg_max(TimeGenerated, *), failed_attempts = dcount(keyName) by UserIdentityAccountId, SourceIpAddress, bucketName\n| where failed_attempts > 20\n| extend UserIdentityUserName = iff(isnotempty(UserIdentityUserName), UserIdentityUserName, tostring(split(UserIdentityArn,'/')[-1]))\n| extend timestamp = TimeGenerated, IPCustomEntity = SourceIpAddress, AccountCustomEntity = UserIdentityUserName, bucketName\n",
"version": 2,
"tags": [
{
@@ -9537,7 +9537,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_FailedBruteForceWithoutMFA_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_FailedBruteForceWithoutMFA_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]",
@@ -9621,7 +9621,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IAMAccsesDeniedDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_IAMAccsesDeniedDiscoveryEvents_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]",
@@ -9705,7 +9705,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_IAMUserGroupChanges_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_IAMUserGroupChanges_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]",
@@ -9789,7 +9789,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LambdaFunctionThrottled_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_LambdaFunctionThrottled_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]",
@@ -9873,7 +9873,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LambdaLayerImportedExternalAccount_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_LambdaLayerImportedExternalAccount_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]",
@@ -9957,7 +9957,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LambdaUpdateFunctionCode_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_LambdaUpdateFunctionCode_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]",
@@ -10041,7 +10041,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_LoginProfileUpdated_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_LoginProfileUpdated_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]",
@@ -10125,7 +10125,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ModificationofRouteTableAttributes_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_ModificationofRouteTableAttributes_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]",
@@ -10209,7 +10209,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ModificationofSubnetAttributes_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_ModificationofSubnetAttributes_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]",
@@ -10293,7 +10293,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_ModificationofVPCAttributes_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_ModificationofVPCAttributes_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]",
@@ -10377,7 +10377,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_NetworkACLDeleted_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_NetworkACLDeleted_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]",
@@ -10461,7 +10461,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_NewRootAccessKey_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_NewRootAccessKey_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject26').huntingQueryVersion26]",
@@ -10545,7 +10545,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_PolicywithExcessivePermissions_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_PolicywithExcessivePermissions_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject27').huntingQueryVersion27]",
@@ -10629,7 +10629,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_RDSMasterPasswordChanged_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_RDSMasterPasswordChanged_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject28').huntingQueryVersion28]",
@@ -10713,7 +10713,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_RiskyRoleName_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_RiskyRoleName_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject29').huntingQueryVersion29]",
@@ -10797,7 +10797,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketDeleted_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_S3BucketDeleted_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject30').huntingQueryVersion30]",
@@ -10881,7 +10881,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_S3BucketEncryptionModified_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_S3BucketEncryptionModified_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject31').huntingQueryVersion31]",
@@ -10965,7 +10965,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoEC2_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_STStoEC2_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject32').huntingQueryVersion32]",
@@ -11049,7 +11049,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoECS_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_STStoECS_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject33').huntingQueryVersion33]",
@@ -11133,7 +11133,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoGlue_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_STStoGlue_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject34').huntingQueryVersion34]",
@@ -11217,7 +11217,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoKWN_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_STStoKWN_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject35').huntingQueryVersion35]",
@@ -11301,7 +11301,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "AWS_STStoLambda_HuntingQueries Hunting Query with template version 3.0.2",
+ "description": "AWS_STStoLambda_HuntingQueries Hunting Query with template version 3.0.3",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('huntingQueryObject36').huntingQueryVersion36]",
@@ -11381,7 +11381,7 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.2",
+ "version": "3.0.3",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Amazon Web Services",
diff --git a/Solutions/Amazon Web Services/ReleaseNotes.md b/Solutions/Amazon Web Services/ReleaseNotes.md
index 93a89e34f54..2232f4ed0d6 100644
--- a/Solutions/Amazon Web Services/ReleaseNotes.md
+++ b/Solutions/Amazon Web Services/ReleaseNotes.md
@@ -1,5 +1,6 @@
| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
|-------------|--------------------------------|---------------------------------------------|
+| 3.0.3 | 27-05-2024 | Updated **Hunting Query** AWS_FailedBruteForceS3Bucket.yaml |
| 3.0.2 | 05-04-2024 | Updated awsS3 **Data connector**, added new Data Type CloudWatch |
| 3.0.1 | 22-12-2023 | Added new **Analytic Rule** (AWS Config Service Resource Deletion Attempts) |
| 3.0.0 | 04-12-2023 | Updated **Analytical Rule** AWS_GuardDuty_template with entity mappings |
\ No newline at end of file