CloudGuard Intelligence Updates
- 1 April 18 2024
- 2 April 02 2024
- 3 February 14 2024
- 4 July 03 2023
- 5 June 18 2023
- 6 May 28 2023
- 7 April 23 2023
- 8 March 30 2023
- 9 March 29 2023
- 10 March 20 2023
- 11 March 05 2023
- 12 February 19 2023
- 13 February 05 2023
- 14 January 22 2023
- 15 January 16 2023
- 16 January 15 2023
- 17 December 25 2022
- 18 December 11 2022
- 19 November 28 2022
- 20 November 13 2022
- 21 November 07 2022
- 22 November 06 2022
- 23 October 30 2022
April 18 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | Azure SUPERMAN Login | Modification |
|
|
| D9.AZU.512.21827 |
|
April 02 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Critical | Active Directory high-privileged role assigned to non-user entity | New |
|
|
| D9.AZU.512.15964 |
| |
High | Elevated Azure Graph API permissions granted | New |
|
|
| D9.AZU.512.96515 |
| |
Critical | Unauthorized actions under tenant’s scope | New |
|
|
| D9.AZU.512.23090 |
| |
High | Exploiting elevated user access administrator role | New |
|
|
| D9.AZU.512.56418 |
|
February 14 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Medium | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
|
|
| D9.K8S.522.83805 |
| |
Medium | Outbound Traffic to a Compromised Server From a Kubernetes Cluster | Modification |
|
|
| D9.K8S.522.44344 |
| |
D9.AWS.108.75279 | Informational | EKS Cluster Deleted | Removal |
|
|
| D9.AWS.108.75279 |
|
D9.AWS.108.02076 | Medium | Lack of Service Account Usage in Kubernetes Node | Removal |
|
|
| D9.AWS.108.02076 |
|
D9.AWS.108.12930 | Low | EKS Cluster Control Plane Logs Disabled | Removal |
|
|
| D9.AWS.108.12930 |
|
D9.AWS.108.88809 | Informational | Fargate Profile Created For Cluster | Removal |
|
|
| D9.AWS.108.88809 |
|
July 03 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Medium | Shared EBS Snapshot Was Copied by another AWS Account | Modification |
|
|
|
|
June 18 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Abuse of unsuccessful AssumeRole | Modification |
|
|
|
|
May 28 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | Discovery operation using multiple Describe / List APIs | Modification |
|
|
|
|
April 23 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
High | Access key used from multiple IPs | Modification |
|
|
|
|
March 30 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Medium | MFA failed attempts | Modification |
|
|
|
| |
Low | S3 Bucket Object Collection Pattern | Modification |
|
|
|
|
March 29 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | The trust policy of a role was modified to allow third party access | New |
|
|
|
| |
Informational | CodeCommit GitPull Request | New |
|
|
|
| |
Medium | MFA failed attempts | New |
|
|
|
| |
High | Malicious Source Address Detected in SES or SNS | New |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
| |
High | S3 Bucket Object Collection Pattern | New |
|
|
|
|
March 20 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Medium | External DescribeVpcs Request | New |
|
|
|
| |
Medium | Multiple Describe APIs Detected | New |
|
|
|
|
March 05 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | Account Password Policy Discovery | New |
|
|
|
| |
Informational | Attach Role to Key Vault | New |
|
|
|
| |
Informational | Failed Login Attempts to Your AZURE Console Using an Invalid Username or Password | New |
|
|
|
| |
Informational | Security Group Modification | Modification |
|
|
|
| |
Low | Storage account key regenerate | New |
|
|
|
| |
Critical | VPC Traffic Mirroring Session Created | New |
|
|
|
|
February 19 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | GuardDuty Disabled | Modification |
|
|
|
| |
High | A Command Was Sent to All Managed Instances | Modification |
|
|
|
| |
Low | A Container Has Been Stopped Due to Absence of an Attached Foreground Process | Modification |
|
|
|
| |
Low | A Container Has Been Stopped Due to SIGKILL | Modification |
|
|
|
| |
Low | A Container Has Been Stopped Due to SIGSEGV | Modification |
|
|
|
| |
Low | A Container Has Been Stopped Due to SIGTERM | Modification |
|
|
|
| |
Low | A Container Has Been Stopped Due to Application Error or Incorrect Reference | Modification |
|
|
|
| |
Low | A New Overly-Permissive Policy Was Set to Default | Modification |
|
|
|
| |
Informational | Abuse of Role Credentials | Modification |
|
|
|
| |
Low | Abuse of Unsuccessful AssumeRole | Modification |
|
|
|
| |
Low | Abuse of unsuccessful AssumeRole | Modification |
|
|
|
| |
Low | Abuse of unsuccessful Role assignments | New |
|
|
|
| |
Medium | Administrator Permissions Attached to a Role | Modification |
|
|
|
| |
Low | Administrator Permissions Attached to a User | Modification |
|
|
|
| |
Low | AdministratorAccess Permissions Attached to a Role | Modification |
|
|
|
| |
Low | AdministratorAccess Permissions Attached to a User | Modification |
|
|
|
| |
Low | AdministratorAccess Permissions were attached to a Role | Modification |
|
|
|
| |
Medium | Policy Containing All Resources Attached to a Role | Modification |
|
|
|
| |
Medium | Policy Containing All Resources Attached to a User | Modification |
|
|
|
| |
High | IAM Policy Allowing Privilege Escalation via SSM Service | Modification |
|
|
|
| |
Low | An Existing IAM Policy Version Was Set to Default | Modification |
|
|
|
| |
Informational | An Image Was Pushed to a Repository | Modification |
|
|
|
| |
Critical | An S3 object is Publicly Accessible | Modification |
|
|
|
| |
Low | Azure App Role Assigned to Service Principals/Users/Groups | Modification |
|
|
|
| |
Informational | Attach Role to Instance | Modification |
|
|
|
| |
Informational | Attach Role to Virtual machine | New |
|
|
|
| |
Informational | Attachment of User/Group/Role Policy | Modification |
|
|
|
| |
High | Azure SUPERMAN Login | Modification |
|
|
|
| |
Medium | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
|
|
|
| |
High | Brute-force Attack on an S3 Bucket | Modification |
|
|
|
| |
Medium | A Policy with IAM CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity | Modification |
|
|
|
| |
Informational | Ciem Trigger Event | Modification |
|
|
|
| |
High | Crypto mining terms have been identified | Modification |
|
|
|
| |
Low | EC2 created in multiple regions | Modification |
|
|
|
| |
Informational | Failed Login Attempts to Your AWS Console Using an Invalid Username | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a Role | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a User | Modification |
|
|
|
| |
Medium | Wide-Permissions Policy Attached to a Role | Modification |
|
|
|
| |
Medium | Wide-Permissions Policy Attached to a User | Modification |
|
|
|
| |
Low | Function Bindings Modified | Modification |
|
|
|
| |
Low | IAM Permissions Enumeration | Modification |
|
|
|
| |
High | Image Scanning Disabled For Repository | Modification |
|
|
|
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
|
|
|
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
|
|
|
| |
High | Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address | Modification |
|
|
|
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
|
|
|
| |
Low | Internal Rejected Traffic | Modification |
|
|
|
| |
Low | Internal Rejected Traffic | Modification |
|
|
|
| |
Medium | K8S SSH Access to Nodes From Pods | Modification |
|
|
|
| |
Informational | Key Vault has been created | New |
|
|
|
| |
Low | Large Number of Failed Logins to Azure | Modification |
|
|
|
| |
Low | Large Number of Failed Logins to AWS console | Modification |
|
|
|
| |
High | Login Attempt to Alibaba console From a Malicious IP Address | Modification |
|
|
|
| |
Low | Azure Login Attempt With 2 Different User-Agents in a Short Time | Modification |
|
|
|
| |
Low | Successful Console Logins From More Than One User-Agent | Modification |
|
|
|
| |
Informational | Multiple New Instances Launched in a Short Period by a Specific User | Modification |
|
|
|
| |
High | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
|
|
|
| |
High | Outbound Traffic From DB Ports to Internet Destination | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using SMB | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
|
|
|
| |
Low | Outbound Traffic Suspected as Cryptomining Activity | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
High | Public S3 Bucket, Overly-Permissive Access Point Policy | Modification |
|
|
|
| |
High | Public S3 Bucket, Overly-Permissive Bucket Policy | Modification |
|
|
|
| |
Medium | Overly-Permissive IAM Policy Attached to a Role | Modification |
|
|
|
| |
Medium | Overly-Permissive IAM Policy Attached to a User | Modification |
|
|
|
| |
Medium | Overly-Permissive Lambda Permission | Modification |
|
|
|
| |
Medium | Overly-Permissive Trust Policy Attached to a Role | Modification |
|
|
|
| |
Medium | Overly-Permissive Policy Attached to an SES Identity | Modification |
|
|
|
| |
Medium | Overly-Permissive SNS Policy | Modification |
|
|
|
| |
Medium | Overly-Permissive SQS Policy | Modification |
|
|
|
| |
Low | Owner Added to a Group | New |
|
|
|
| |
Low | Owner Removed from a Group | New |
|
|
|
| |
Low | Password Policy Change | Modification |
|
|
|
| |
Informational | Permissions Modified For Blob | New |
|
|
|
| |
Informational | Permissions Modified For Storage account | New |
|
|
|
| |
Informational | Permissions Modified For Table | New |
|
|
|
| |
Medium | Permissions Scanning Attempt | Modification |
|
|
|
| |
Medium | Ping Sweep Activity From Within a Kubernetes Pod | Modification |
|
|
|
| |
Medium | Ping Sweep Activity | Modification |
|
|
|
| |
High | Port Scan of Internal Asset From ECS | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
|
|
|
| |
Low | Privilege Escalation via Policy Version | Modification |
|
|
|
| |
High | RDS Instance Password Changed | Modification |
|
|
|
| |
High | RDS Instance Publicly Accessible | Modification |
|
|
|
| |
Informational | Role Detached from Virtual machine | New |
|
|
|
| |
Medium | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
|
|
|
| |
High | Same User Login From Multiple Locations | Modification |
|
|
|
| |
Informational | Security Group Modification | Modification |
|
|
|
| |
High | Successful API Request Originated From a Suspicious User-Agent | Modification |
|
|
|
| |
Critical | Successful API Request Originated From a Malicious IP Address | Modification |
|
|
|
| |
Critical | Successful API Request Originated From a Malicious IP Address | Modification |
|
|
|
| |
High | Suspicious Command Was Sent to a Managed Instance | Modification |
|
|
|
| |
Low | Suspicious DNS Packet Size | Modification |
|
|
|
| |
Low | Suspicious DNS Packet Size | Modification |
|
|
|
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious NTP Packet Size | Modification |
|
|
|
| |
Low | Suspicious NTP Packet Size From a Kubernetes Pod | Modification |
|
|
|
| |
Low | Suspicious NTP Packet Size | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume From a Kubernetes Pod | Modification |
|
|
|
| |
High | Suspicious StartSession Event Was Triggered | Modification |
|
|
|
| |
Low | Suspicious Outbound Traffic to a Phishing Server | Modification |
|
|
|
| |
High | Public S3 Bucket, Overly-Permissive ACL | Modification |
|
|
|
| |
High | Unsecured PassRole Permission Was Applied to a Role | Modification |
|
|
|
| |
High | Unsecured PassRole Permission Was Applied to a User | Modification |
|
|
|
| |
High | Unsecured Repository Created | Modification |
|
|
|
| |
High | Unsecured Task Definition Created - Privileged Container | Modification |
|
|
|
| |
High | Unsecured Task Definition Created - hostPath | Modification |
|
|
|
| |
High | Unsecured Task Definition Created - Env Var and Command | Modification |
|
|
|
| |
Informational | User Data has been modified | Modification |
|
|
|
|
February 05 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Medium | Azure Admin Consent Was Launched | Modification |
|
|
|
| |
Medium | Policy Containing All Resources Attached to a Role | Modification |
|
|
|
| |
Critical | An S3 object is Publicly Accessible | Modification |
|
|
|
| |
Low | Azure App Role Assigned to Service Principals/Users/Groups | Modification |
|
|
|
| |
Medium | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
|
|
|
| |
Medium | Credentials Were Added to an Azure AD Application | Modification |
|
|
|
| |
Medium | Azure Credentials Were Added to an Azure AD Service Principal | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a Role | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a User | Modification |
|
|
|
| |
High | Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address | Modification |
|
|
|
| |
Medium | K8S Pod Access to Metadata | Modification |
|
|
|
| |
High | Access key used from multiple IPs | New |
|
|
|
| |
Low | Outbound Traffic to a Compromised Server From a Kubernetes Cluster | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
|
|
|
| |
High | Suspicious EC2 Instance Without KeyPair Was Launched | Removal |
|
|
|
|
January 22 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | A New Overly-Permissive Policy Was Set to Default | Modification |
|
|
|
| |
Low | Abuse of unsuccessful AssumeRole | Modification |
|
|
|
| |
Low | Policy Containing All Resources Attached to a Role | Modification |
|
|
|
| |
Medium | Policy Containing All Resources Attached to a User | Modification |
|
|
|
| |
High | An S3 object is Publicly Accessible | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a Role | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a User | Modification |
|
|
|
| |
Medium | Wide-Permissions Policy Attached to a Role | Modification |
|
|
|
| |
Medium | Wide-Permissions Policy Attached to a User | Modification |
|
|
|
| |
Low | Lambda Function Code Was Updated by an Entity Which Assumed a Role | Modification |
|
|
|
| |
High | Public S3 Bucket, Overly-Permissive Access Point Policy | Modification |
|
|
|
| |
High | Public S3 Bucket, Overly-Permissive Bucket Policy | Modification |
|
|
|
| |
Medium | Overly-Permissive IAM Policy Attached to a Role | Modification |
|
|
|
| |
Medium | Overly-Permissive IAM Policy Attached to a User | Modification |
|
|
|
| |
Medium | Overly-Permissive Lambda Permission | Modification |
|
|
|
| |
Medium | Overly-Permissive Trust Policy Attached to a Role | Modification |
|
|
|
| |
Medium | Overly-Permissive Policy Attached to an SES Identity | Modification |
|
|
|
| |
Medium | Overly-Permissive SQS Policy | Modification |
|
|
|
| |
Informational | Port Scanning from the Internet | New |
|
|
|
| |
High | Public S3 Bucket, Overly-Permissive ACL | Modification |
|
|
|
| |
High | Unsecured PassRole Permission Was Applied to a User | Modification |
|
|
|
|
January 16 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | A Task on ECS Has Stopped Unexpectedly | Modification |
|
|
|
| |
Low | Abuse of Unsuccessful AssumeRole | Modification |
|
|
|
| |
Low | Abuse of unsuccessful AssumeRole | Modification |
|
|
|
| |
Low | AdministratorAccess Permissions Attached to a Role | Modification |
|
|
|
| |
Low | AdministratorAccess Permissions were attached to a Role | Modification |
|
|
|
| |
Informational | An Image Was Pushed to a Repository | Modification |
|
|
|
| |
Critical | An S3 object is Public Accessible | Modification |
|
|
|
| |
Low | Azure App Role Assigned to Service Principals/Users/Groups | Modification |
|
|
|
| |
High | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
|
|
|
| |
Informational | Blob Deleted | Modification |
|
|
|
| |
Informational | CloudWatch Log Group Created | Modification |
|
|
|
| |
Low | VPC Deleted | Modification |
|
|
|
| |
Critical | EBS Snapshot Permission Modified to Public Access | Modification |
|
|
|
| |
High | Shared EBS Snapshot Was Copied by an External Account | Modification |
|
|
|
| |
Informational | Failed Login Attempts to Your AWS Console Using an Invalid Username | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a User | Modification |
|
|
|
| |
Low | Function App Host Master Key Modified | Modification |
|
|
|
| |
Low | EKS Cluster Control Plane Logs Disabled | Modification |
|
|
|
| |
Low | Several Failed Logins Attempts Followed by a Successful Login to Your AWS Console | Modification |
|
|
|
| |
High | Login Attempt to AWS Console From a Malicious IP Address | Modification |
|
|
|
| |
High | Login Attempt to Alibaba console From a Malicious IP Address | Modification |
|
|
|
| |
High | Login Attempt to Azure From a Malicious IP Address | Modification |
|
|
|
| |
Low | Modification Subnet Attributes | Modification |
|
|
|
| |
High | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
|
|
|
| |
High | Outbound Traffic From DB Ports to Internet Destination | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using SMB | Modification |
|
|
|
| |
High | Outbound Traffic From a VPC to an Internet Destination Using RDP | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
High | Suspicious Outbound Traffic to a Suspected CnC Server | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Medium | Overly-Permissive Trust Policy Attached to a Role | Modification |
|
|
|
| |
Low | Password Policy Change | Modification |
|
|
|
| |
High | RDS Instance Publicly Accessible | Modification |
|
|
|
| |
Low | S3 Bucket Deleted | Modification |
|
|
|
| |
High | Series of Enumeration API Calls Executed in Several Regions | Modification |
|
|
|
| |
High | Suspicious StartSession Event Was Triggered | Modification |
|
|
|
|
January 15 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
High | Azure SUPERMAN Login | Modification |
|
|
|
| |
Medium | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
|
|
|
| |
Low | K8S Pod Access to Metadata | Modification |
|
|
|
| |
Informational | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
|
|
|
| |
Medium | Outbound Traffic From a VPC to an Internet Destination Using RDP | Modification |
|
|
|
| |
Medium | Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster | Modification |
|
|
|
| |
Medium | Outbound Traffic to a Compromised Server From a Kubernetes Cluster | Modification |
|
|
|
| |
Low | Suspicious Outbound Traffic to a CnC Server From a Kubernetes Cluster | Modification |
|
|
|
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
| |
Low | Suspicious DNS Packet Size | Modification |
|
|
|
| |
Low | Suspicious DNS Packet Size From a Kubernetes Pod | Modification |
|
|
|
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious DNS Packets Volume From a Kubernetes Pod | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
|
|
|
| |
Medium | Large Number of Failed Logins Followed by a Successful Login to Your Azure Account | Removal |
|
|
|
|
December 25 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Function Bindings Modified | Modification |
|
|
|
| |
Low | Azure Login Attempt With 2 Different User-Agents in a Short Time | Modification |
|
|
|
| |
High | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
| |
Low | Suspicious NTP Packet Size | Modification |
|
|
|
|
December 11 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | Abuse of Role Credentials | Modification |
|
|
|
| |
High | Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address | Modification |
|
|
|
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
|
|
|
| |
Low | Large Number of Failed Logins to Azure | Modification |
|
|
|
| |
Informational | Multiple New Instances Launched in a Short Period by a Specific User | Modification |
|
|
|
| |
Low | Outbound Traffic From DB Ports to Internet Destination | Modification |
|
|
|
| |
Informational | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
|
|
|
| |
Informational | Security Group Modification | Modification |
|
|
|
| |
Low | Suspicious Outbound Traffic to a Phishing Server | Modification |
|
|
|
|
November 28 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | Abuse of Role Credentials | New |
|
|
|
| |
High | Crypto mining terms have been identified | New |
|
|
|
| |
Low | EC2 created in multiple regions | New |
|
|
|
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
|
|
|
| |
Low | Large Number of Failed Logins to Azure | Modification |
|
|
|
| |
Critical | Login Attempt to Azure From a Malicious IP Address | Modification |
|
|
|
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Medium | Overly-Permissive SNS Policy | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume From a Kubernetes Pod | Modification |
|
|
|
| |
High | Unsecured Task Definition Created - hostPath | Modification |
|
|
|
| |
High | Unsecured Task Definition Created - Env Var and Command | Modification |
|
|
|
| |
Informational | User Data has been modified | New |
|
|
|
| |
High | Abuse of Access Token Generated by STS Dedicated For Lambda | Removal |
|
|
|
| |
High | Abuse of Access Token Generated by STS Dedicated For EC2 | Removal |
|
|
|
| |
Critical | Abuse of Access Token Generated by STS Dedicated for ECS | Removal |
|
|
|
| |
Critical | Abuse of Access Token Generated by STS Dedicated For Kubernetes Node Group | Removal |
|
|
|
| |
Critical | Abuse of Access Token Generated by STS Dedicated For Kubernetes Pod | Removal |
|
|
|
| |
Low | Container Deleted | Removal |
|
|
|
| |
Informational | Container Created | Removal |
|
|
|
|
November 13 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Function Bindings Modified | Modification |
|
|
|
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
|
|
|
| |
Medium | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
|
|
|
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
|
November 07 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Internal Rejected Traffic | Modification |
|
|
|
| |
Medium | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
|
|
|
| |
Medium | Outbound Traffic From a VPC to an Internet Destination Using RDP | Modification |
|
|
|
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Medium | Ping Sweep Activity From Within a Kubernetes Pod | Modification |
|
|
|
| |
Medium | Ping Sweep Activity | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
|
November 06 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Internal Rejected Traffic | Modification |
|
|
|
| |
Low | Internal Rejected Traffic | Modification |
|
|
|
| |
High | K8S Pod Access to Metadata | Modification |
|
|
|
| |
Medium | K8S SSH Access to Nodes From Pods | Modification |
|
|
|
| |
Medium | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
|
|
|
| |
Medium | Outbound Traffic From DB Ports to Internet Destination | Modification |
|
|
|
| |
Low | Outbound Traffic From VPC to Internet Destination Using SMB | Modification |
|
|
|
| |
Informational | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
|
|
|
| |
Medium | Outbound Traffic From a VPC to an Internet Destination Using RDP | Modification |
|
|
|
| |
Informational | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
|
|
|
| |
Low | Outbound Traffic Suspected as Cryptomining Activity | Modification |
|
|
|
| |
High | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
Medium | Suspicious Outbound Traffic to a Suspected CnC Server | Modification |
|
|
|
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Medium | Ping Sweep Activity From Within a Kubernetes Pod | Modification |
|
|
|
| |
Medium | Ping Sweep Activity | Modification |
|
|
|
| |
High | Port Scan of Internal Asset From ECS | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
| |
Low | Suspicious DNS Packet Size | Modification |
|
|
|
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious NTP Packet Size | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious Outbound Traffic to a Phishing Server | Modification |
|
|
|
| |
High | Unsecured Task Definition Created - Dangerous Capabilities | Modification |
|
|
|
| |
Medium | Unusual Exposed Ports on Instance | Modification |
|
|
|
| |
Low | Outbound Traffic From a Kubernetes Cluster Suspected as Cryptomining Activity | Removal |
|
|
|
|
October 30 2022
Note: This is the first RN, Include all changes from 11.09.2022 to 30.10.2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | GuardDuty Disabled | Modification |
|
|
|
| |
Low | GuardDuty Suspended | Modification |
|
|
|
| |
Medium | Administrator Permissions Attached to a Role | Modification |
|
|
|
| |
Low | Administrator Permissions Attached to a User | Modification |
|
|
|
| |
Low | IAM Permissions Enumeration | Modification |
|
|
|
| |
Low | Internal Rejected Traffic | Modification |
|
|
|
| |
Low | Internal Rejected Traffic | Modification |
|
|
|
| |
High | K8S Pod Access to Metadata | Modification |
|
|
|
| |
Medium | K8S SSH Access to Nodes From Pods | Modification |
|
|
|
| |
Critical | Login Attempt to Alibaba console From a Malicious IP Address | Modification |
|
|
|
| |
Medium | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
|
|
|
| |
Medium | Outbound Traffic From DB Ports to Internet Destination | Modification |
|
|
|
| |
Low | Outbound Traffic From VPC to Internet Destination Using SMB | Modification |
|
|
|
| |
Informational | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
|
|
|
| |
Informational | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
|
|
|
| |
Low | Outbound Traffic Suspected as Cryptomining Activity | Modification |
|
|
|
| |
High | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
Medium | Suspicious Outbound Traffic to a Suspected CnC Server | Modification |
|
|
|
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Medium | Ping Sweep Activity From Within a Kubernetes Pod | Modification |
|
|
|
| |
Medium | Ping Sweep Activity | Modification |
|
|
|
| |
High | Port Scan of Internal Asset From ECS | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
|
|
|
| |
High | Port Scanning of an Internal Asset | Modification |
|
|
|
| |
Informational | Project IAM Policy Updated | Modification |
|
|
|
| |
Informational | Service Account IAM Policy Updated | Modification |
|
|
|
| |
Low | Successful Login Without MFA | Modification |
|
|
|
| |
Low | Suspicious DNS Packet Size | Modification |
|
|
|
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
|
|
|
| |
High | Suspicious ECS Task Has Been Executed | Modification |
|
|
|
| |
Low | Suspicious NTP Packet Size | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
|
|
|
| |
Low | Suspicious Outbound Traffic to a Phishing Server | Modification |
|
|
|
| |
High | Unsecured Task Definition Created - Privileged Container | Modification |
|
|
|
| |
Medium | Unusual Exposed Ports on Instance | Modification |
|
|
|
|