April 18 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.21827	High	Azure SUPERMAN Login	Modification	Logic			D9.AZU.512.21827	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Credential Access

April 02 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Rule ID	Affected Rulesets
D9.AZU.512.15964	Critical	Active Directory high-privileged role assigned to non-user entity	New	D9.AZU.512.15964	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.96515	High	Elevated Azure Graph API permissions granted	New	D9.AZU.512.96515	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Lateral Movement Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.23090	Critical	Unauthorized actions under tenant’s scope	New	D9.AZU.512.23090	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Lateral Movement
D9.AZU.512.56418	High	Exploiting elevated user access administrator role	New	D9.AZU.512.56418	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Lateral Movement

February 14 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.K8S.522.83805	Medium	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic Severity	Informational	Medium	D9.K8S.522.83805	Kubernetes CloudGuard Best Practices
D9.K8S.522.44344	Medium	Outbound Traffic to a Compromised Server From a Kubernetes Cluster	Modification	Logic Severity	Low	Medium	D9.K8S.522.44344	Kubernetes CloudGuard Best Practices
D9.AWS.108.75279	Informational	EKS Cluster Deleted	Removal				D9.AWS.108.75279	Kubernetes CloudGuard Best Practices
D9.AWS.108.02076	Medium	Lack of Service Account Usage in Kubernetes Node	Removal				D9.AWS.108.02076	Kubernetes CloudGuard Best Practices
D9.AWS.108.12930	Low	EKS Cluster Control Plane Logs Disabled	Removal				D9.AWS.108.12930	Kubernetes CloudGuard Best Practices
D9.AWS.108.88809	Informational	Fargate Profile Created For Cluster	Removal				D9.AWS.108.88809	Kubernetes CloudGuard Best Practices

July 03 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.108.30061	Medium	Shared EBS Snapshot Was Copied by another AWS Account	Modification	Name Severity	Shared EBS Snapshot Was Copied by an External Account High	Shared EBS Snapshot Was Copied by another AWS Account Medium	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices

June 18 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.103.02144	Low	Abuse of unsuccessful AssumeRole	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Best Practices

May 28 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.28997	Informational	Discovery operation using multiple Describe / List APIs	Modification	Name Logic Severity	Multiple Describe APIs Detected Medium	Discovery operation using multiple Describe / List APIs Informational	AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices

April 23 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.82498	High	Access key used from multiple IPs	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices

March 30 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.77808	Medium	MFA failed attempts	Modification	Logic			AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.502.81184	Low	S3 Bucket Object Collection Pattern	Modification	Severity	High	Low	AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Collection

March 29 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AWS.0.75748	Informational	The trust policy of a role was modified to allow third party access	New		AWS CloudGuard Best Practices
D9.AWS.502.29977	Informational	CodeCommit GitPull Request	New		AWS CloudGuard Best Practices
D9.AWS.502.77808	Medium	MFA failed attempts	New		AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.502.93892	High	Malicious Source Address Detected in SES or SNS	New		AWS CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.502.81184	High	S3 Bucket Object Collection Pattern	New		AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Collection

March 20 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.49684	Medium	External DescribeVpcs Request	New				AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.502.28997	Medium	Multiple Describe APIs Detected	New				AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices

March 05 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AWS.502.24751	Informational	Account Password Policy Discovery	New		AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AZU.512.86212	Informational	Attach Role to Key Vault	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.78826	Informational	Failed Login Attempts to Your AZURE Console Using an Invalid Username or Password	New		Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.101.50079	Informational	Security Group Modification	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AZU.512.55123	Low	Storage account key regenerate	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.502.35659	Critical	VPC Traffic Mirroring Session Created	New		AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Credential Access AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices

February 19 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AWS.0.89909	Informational	GuardDuty Disabled	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.502.94981	High	A Command Was Sent to All Managed Instances	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.108.02681	Low	A Container Has Been Stopped Due to Absence of an Attached Foreground Process	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.108.98942	Low	A Container Has Been Stopped Due to SIGKILL	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.108.93156	Low	A Container Has Been Stopped Due to SIGSEGV	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.108.51231	Low	A Container Has Been Stopped Due to SIGTERM	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.108.84400	Low	A Container Has Been Stopped Due to Application Error or Incorrect Reference	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.0.84417	Low	A New Overly-Permissive Policy Was Set to Default	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.502.54053	Informational	Abuse of Role Credentials	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.ALI.702.19961	Low	Abuse of Unsuccessful AssumeRole	Modification	Logic	Alibaba CloudGuard Best Practices
D9.AWS.103.02144	Low	Abuse of unsuccessful AssumeRole	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AZU.512.02147	Low	Abuse of unsuccessful Role assignments	New		Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AWS.102.06565	Medium	Administrator Permissions Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.74281	Low	Administrator Permissions Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.102.06361	Low	AdministratorAccess Permissions Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.49438	Low	AdministratorAccess Permissions Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.ALI.702.06360	Low	AdministratorAccess Permissions were attached to a Role	Modification	Logic	Alibaba CloudGuard Best Practices
D9.AWS.0.56594	Medium	Policy Containing All Resources Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.0.44855	Medium	Policy Containing All Resources Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.502.23667	High	IAM Policy Allowing Privilege Escalation via SSM Service	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.0.23097	Low	An Existing IAM Policy Version Was Set to Default	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.108.95360	Informational	An Image Was Pushed to a Repository	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution
D9.AWS.108.69243	Critical	An S3 object is Publicly Accessible	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.40041	Low	Azure App Role Assigned to Service Principals/Users/Groups	Modification	Logic	Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AWS.0.86206	Informational	Attach Role to Instance	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Account Activity
D9.AZU.512.86207	Informational	Attach Role to Virtual machine	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.0.17234	Informational	Attachment of User/Group/Role Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Account Activity
D9.AZU.512.21827	High	Azure SUPERMAN Login	Modification	Logic	Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Initial Access Azure CloudGuard Best Practices
D9.AZU.512.06380	Medium	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Logic	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.108.49195	High	Brute-force Attack on an S3 Bucket	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.0.71403	Medium	A Policy with IAM CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.802.0	Informational	Ciem Trigger Event	Modification	Logic	None
D9.AWS.502.75889	High	Crypto mining terms have been identified	Modification	Logic	AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.502.73254	Low	EC2 created in multiple regions	Modification	Logic	AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.104.78825	Informational	Failed Login Attempts to Your AWS Console Using an Invalid Username	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.107.02069	Medium	FullAccess Permissions Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.87124	Medium	FullAccess Permissions Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.107.94125	Medium	Wide-Permissions Policy Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.502.83517	Medium	Wide-Permissions Policy Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AZU.512.37886	Low	Function Bindings Modified	Modification	Logic	Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.105.66271	Low	IAM Permissions Enumeration	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.33582	High	Image Scanning Disabled For Repository	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AZU.107.71929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.GCP.515.44354	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic	GCP CloudGuard Network Traffic
D9.K8S.107.71929	High	Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.107.1929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.105.14069	Low	Internal Rejected Traffic	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.AWS.105.14069	Low	Internal Rejected Traffic	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.97652	Medium	K8S SSH Access to Nodes From Pods	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AZU.512.17236	Informational	Key Vault has been created	New		Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.56100	Low	Large Number of Failed Logins to Azure	Modification	Logic	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.104.31471	Low	Large Number of Failed Logins to AWS console	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.ALI.702.16860	High	Login Attempt to Alibaba console From a Malicious IP Address	Modification	Logic	Alibaba CloudGuard Best Practices
D9.AZU.512.51420	Low	Azure Login Attempt With 2 Different User-Agents in a Short Time	Modification	Logic	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.104.70939	Low	Successful Console Logins From More Than One User-Agent	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.108.32872	Informational	Multiple New Instances Launched in a Short Period by a Specific User	Modification	Logic	AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.K8S.106.00673	High	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.106.00673	High	Outbound Traffic From DB Ports to Internet Destination	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration
D9.AWS.107.22364	High	Outbound Traffic From VPC to Internet Destination Using SMB	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.GCP.515.45774	High	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Logic	GCP CloudGuard Network Traffic
D9.AWS.107.09562	High	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.98731	Low	Outbound Traffic Suspected as Cryptomining Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.GCP.515.47515	Critical	Outbound Traffic to Tor Exit Node	Modification	Logic	GCP CloudGuard Network Traffic
D9.AWS.107.02305	Critical	Outbound Traffic to Tor Exit Node	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.40828	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Logic	GCP CloudGuard Network Traffic
D9.K8S.522.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.0.90746	High	Public S3 Bucket, Overly-Permissive Access Point Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.58711	High	Public S3 Bucket, Overly-Permissive Bucket Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.107.54705	Medium	Overly-Permissive IAM Policy Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.107.91925	Medium	Overly-Permissive IAM Policy Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.80248	Medium	Overly-Permissive Lambda Permission	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.102.42790	Medium	Overly-Permissive Trust Policy Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.27256	Medium	Overly-Permissive Policy Attached to an SES Identity	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AWS.502.35353	Medium	Overly-Permissive SNS Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AWS.108.88304	Medium	Overly-Permissive SQS Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AZU.512.40042	Low	Owner Added to a Group	New		Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.40043	Low	Owner Removed from a Group	New		Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AWS.108.42542	Low	Password Policy Change	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.AZU.512.55554	Informational	Permissions Modified For Blob	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.55555	Informational	Permissions Modified For Storage account	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.55553	Informational	Permissions Modified For Table	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.106.95525	Medium	Permissions Scanning Attempt	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.K8S.105.87085	Medium	Ping Sweep Activity From Within a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.105.54069	High	Port Scan of Internal Asset From ECS	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.GCP.515.48951	High	Port Scanning of an Internal Asset	Modification	Logic	GCP CloudGuard Network Traffic
D9.K8S.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.103.82628	Low	Privilege Escalation via Policy Version	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.0.88439	High	RDS Instance Password Changed	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Serverless AWS CloudGuard Account Activity
D9.AWS.108.67850	High	RDS Instance Publicly Accessible	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.46487	Informational	Role Detached from Virtual machine	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.104.44218	Medium	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.104.92018	High	Same User Login From Multiple Locations	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Best Practices
D9.AWS.101.50079	Informational	Security Group Modification	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.106.83555	High	Successful API Request Originated From a Suspicious User-Agent	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AZU.512.85876	Critical	Successful API Request Originated From a Malicious IP Address	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Impact Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.108.74210	Critical	Successful API Request Originated From a Malicious IP Address	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.502.10631	High	Suspicious Command Was Sent to a Managed Instance	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Execution AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.09957	Low	Suspicious DNS Packet Size	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.GCP.515.54560	Low	Suspicious DNS Packet Size	Modification	Logic	GCP CloudGuard Network Traffic
D9.GCP.515.80600	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic	GCP CloudGuard Network Traffic
D9.AWS.107.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.GCP.515.61003	Low	Suspicious NTP Packet Size	Modification	Logic	GCP CloudGuard Network Traffic
D9.AZU.107.31879	Low	Suspicious NTP Packet Size From a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.97764	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic	GCP CloudGuard Network Traffic
D9.AWS.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.K8S.522.65125	Low	Suspicious NTP Packets Volume From a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.108.25508	High	Suspicious StartSession Event Was Triggered	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.101.97471	Low	Suspicious Outbound Traffic to a Phishing Server	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.108.32378	High	Public S3 Bucket, Overly-Permissive ACL	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.10767	High	Unsecured PassRole Permission Was Applied to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.17277	High	Unsecured PassRole Permission Was Applied to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.29542	High	Unsecured Repository Created	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.83241	High	Unsecured Task Definition Created - Privileged Container	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.63748	High	Unsecured Task Definition Created - hostPath	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.85090	High	Unsecured Task Definition Created - Env Var and Command	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.502.56156	Informational	User Data has been modified	Modification	Logic	AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices

February 05 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.512.65556	Medium	Azure Admin Consent Was Launched	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AWS.0.56594	Medium	Policy Containing All Resources Attached to a Role	Modification	Severity	Low	Medium	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.108.69243	Critical	An S3 object is Publicly Accessible	Modification	Severity	High	Critical	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.40041	Low	Azure App Role Assigned to Service Principals/Users/Groups	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.06380	Medium	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Severity	High	Medium	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.512.03312	Medium	Credentials Were Added to an Azure AD Application	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.512.35494	Medium	Azure Credentials Were Added to an Azure AD Service Principal	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.107.02069	Medium	FullAccess Permissions Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.87124	Medium	FullAccess Permissions Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.K8S.107.71929	High	Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.522.19248	Medium	K8S Pod Access to Metadata	Modification	Severity	Low	Medium	Kubernetes CloudGuard Best Practices
D9.AWS.502.82498	High	Access key used from multiple IPs	New				AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.K8S.522.44344	Low	Outbound Traffic to a Compromised Server From a Kubernetes Cluster	Modification	Severity	Medium	Low	Kubernetes CloudGuard Best Practices
D9.AZU.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.103.15235	High	Suspicious EC2 Instance Without KeyPair Was Launched	Removal				AWS CloudGuard Key Management AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices

January 22 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.0.84417	Low	A New Overly-Permissive Policy Was Set to Default	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.103.02144	Low	Abuse of unsuccessful AssumeRole	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.0.56594	Low	Policy Containing All Resources Attached to a Role	Modification	Logic Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.0.44855	Medium	Policy Containing All Resources Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.108.69243	High	An S3 object is Publicly Accessible	Modification	Name Logic Severity	An S3 object is Public Accessible Critical	An S3 object is Publicly Accessible High	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.107.02069	Medium	FullAccess Permissions Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.87124	Medium	FullAccess Permissions Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.107.94125	Medium	Wide-Permissions Policy Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.502.83517	Medium	Wide-Permissions Policy Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.103.07409	Low	Lambda Function Code Was Updated by an Entity Which Assumed a Role	Modification	Name	Lambda Function Code Was Updated by an Enitity Which Assumed a Role	Lambda Function Code Was Updated by an Entity Which Assumed a Role	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.0.90746	High	Public S3 Bucket, Overly-Permissive Access Point Policy	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.58711	High	Public S3 Bucket, Overly-Permissive Bucket Policy	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.107.54705	Medium	Overly-Permissive IAM Policy Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.107.91925	Medium	Overly-Permissive IAM Policy Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.80248	Medium	Overly-Permissive Lambda Permission	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.102.42790	Medium	Overly-Permissive Trust Policy Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.27256	Medium	Overly-Permissive Policy Attached to an SES Identity	Modification	Name Logic	Overly-Permissive Policy Attached to an SES Idnetity	Overly-Permissive Policy Attached to an SES Identity	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AWS.108.88304	Medium	Overly-Permissive SQS Policy	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AWS.502.49424	Informational	Port Scanning from the Internet	New				AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.32378	High	Public S3 Bucket, Overly-Permissive ACL	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.17277	High	Unsecured PassRole Permission Was Applied to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices

January 16 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.108.37464	Low	A Task on ECS Has Stopped Unexpectedly	Modification	Severity	Medium	Low	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact
D9.ALI.702.19961	Low	Abuse of Unsuccessful AssumeRole	Modification	Severity	Medium	Low	Alibaba CloudGuard Best Practices
D9.AWS.103.02144	Low	Abuse of unsuccessful AssumeRole	Modification	Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.102.06361	Low	AdministratorAccess Permissions Attached to a Role	Modification	Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.ALI.702.06360	Low	AdministratorAccess Permissions were attached to a Role	Modification	Severity	Medium	Low	Alibaba CloudGuard Best Practices
D9.AWS.108.95360	Informational	An Image Was Pushed to a Repository	Modification	Severity	Low	Informational	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution
D9.AWS.108.69243	Critical	An S3 object is Public Accessible	Modification	Severity	High	Critical	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.40041	Low	Azure App Role Assigned to Service Principals/Users/Groups	Modification	Severity	Medium	Low	Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.06380	High	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Severity	Medium	High	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.512.46271	Informational	Blob Deleted	Modification	Severity	Low	Informational	Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.0.86971	Informational	CloudWatch Log Group Created	Modification	Severity	Low	Informational	AWS CloudGuard Cloud Asset Management AWS CloudGuard Account Activity
D9.AWS.108.39020	Low	VPC Deleted	Modification	Severity	Medium	Low	AWS CloudGuard Network Security AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact
D9.AWS.108.36215	Critical	EBS Snapshot Permission Modified to Public Access	Modification	Severity	Medium	Critical	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.30061	High	Shared EBS Snapshot Was Copied by an External Account	Modification	Severity	Low	High	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.104.78825	Informational	Failed Login Attempts to Your AWS Console Using an Invalid Username	Modification	Severity	Low	Informational	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.0.87124	Medium	FullAccess Permissions Attached to a User	Modification	Severity	Low	Medium	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AZU.512.81115	Low	Function App Host Master Key Modified	Modification	Severity	Medium	Low	Azure CloudGuard Identity and Access Management Azure CloudGuard Key Management Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Credential Access Azure MITRE ATT&CK ™ - Impact Azure MITRE ATT&CK ™ - Execution Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.108.12930	Low	EKS Cluster Control Plane Logs Disabled	Modification	Severity	Medium	Low	Kubernetes CloudGuard Best Practices
D9.AWS.104.18467	Low	Several Failed Logins Attempts Followed by a Successful Login to Your AWS Console	Modification	Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.108.92844	High	Login Attempt to AWS Console From a Malicious IP Address	Modification	Severity	Critical	High	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.ALI.702.16860	High	Login Attempt to Alibaba console From a Malicious IP Address	Modification	Severity	Critical	High	Alibaba CloudGuard Best Practices
D9.AZU.512.69098	High	Login Attempt to Azure From a Malicious IP Address	Modification	Severity	Critical	High	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AWS.108.48576	Low	Modification Subnet Attributes	Modification	Severity	Medium	Low	AWS CloudGuard Network Security AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.K8S.106.00673	High	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Severity	Medium	High	Kubernetes CloudGuard Best Practices
D9.AWS.106.00673	High	Outbound Traffic From DB Ports to Internet Destination	Modification	Severity	Low	High	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration
D9.AWS.107.22364	High	Outbound Traffic From VPC to Internet Destination Using SMB	Modification	Severity	Low	High	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.512.09562	High	Outbound Traffic From a VPC to an Internet Destination Using RDP	Modification	Severity	Medium	High	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.45774	High	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Severity	Informational	High	GCP CloudGuard Network Traffic
D9.AWS.107.09562	High	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Severity	Informational	High	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AZU.101.02305	Critical	Outbound Traffic to Tor Exit Node	Modification	Severity	High	Critical	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.47515	Critical	Outbound Traffic to Tor Exit Node	Modification	Severity	High	Critical	GCP CloudGuard Network Traffic
D9.K8S.522.02305	Critical	Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster	Modification	Severity	Medium	Critical	Kubernetes CloudGuard Best Practices
D9.AWS.107.02305	Critical	Outbound Traffic to Tor Exit Node	Modification	Severity	High	Critical	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.04785	High	Suspicious Outbound Traffic to a Suspected CnC Server	Modification	Severity	Medium	High	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Severity	High	Critical	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.40828	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Severity	High	Critical	GCP CloudGuard Network Traffic
D9.K8S.522.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Severity	High	Critical	Kubernetes CloudGuard Best Practices
D9.AWS.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Severity	High	Critical	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.102.42790	Medium	Overly-Permissive Trust Policy Attached to a Role	Modification	Severity	High	Medium	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.42542	Low	Password Policy Change	Modification	Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.AWS.108.67850	High	RDS Instance Publicly Accessible	Modification	Severity	Medium	High	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.48158	Low	S3 Bucket Deleted	Modification	Severity	Medium	Low	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.106.91932	High	Series of Enumeration API Calls Executed in Several Regions	Modification	Severity	Medium	High	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.108.25508	High	Suspicious StartSession Event Was Triggered	Modification	Severity	Critical	High	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices

January 15 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.512.21827	High	Azure SUPERMAN Login	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Initial Access Azure CloudGuard Best Practices
D9.AZU.512.06380	Medium	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.522.19248	Low	K8S Pod Access to Metadata	Modification	Logic Severity	High	Low	Kubernetes CloudGuard Best Practices
D9.K8S.522.83805	Informational	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AZU.512.09562	Medium	Outbound Traffic From a VPC to an Internet Destination Using RDP	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.K8S.522.02305	Medium	Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster	Modification	Logic Severity	High	Medium	Kubernetes CloudGuard Best Practices
D9.K8S.522.44344	Medium	Outbound Traffic to a Compromised Server From a Kubernetes Cluster	Modification	Logic Severity	Low	Medium	Kubernetes CloudGuard Best Practices
D9.K8S.522.04785	Low	Suspicious Outbound Traffic to a CnC Server From a Kubernetes Cluster	Modification	Name Logic	Suspicious Outbound Traffic as Backdoor to a CnC Server From a Kubernetes Cluster	Suspicious Outbound Traffic to a CnC Server From a Kubernetes Cluster	Kubernetes CloudGuard Best Practices
D9.K8S.522.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AZU.512.17551	High	Port Scanning of an Internal Asset	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AZU.512.09957	Low	Suspicious DNS Packet Size	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.K8S.522.09957	Low	Suspicious DNS Packet Size From a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AZU.512.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.K8S.522.37118	Low	Suspicious DNS Packets Volume From a Kubernetes Pod	Modification	Name Logic	Suspicious DNS Packets Volume Per Session From a Kubernetes Pod	Suspicious DNS Packets Volume From a Kubernetes Pod	Kubernetes CloudGuard Best Practices
D9.AZU.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AZU.512.31179	Medium	Large Number of Failed Logins Followed by a Successful Login to Your Azure Account	Removal				Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices

December 25 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AZU.512.37886	Low	Function Bindings Modified	Modification	Logic	Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.51420	Low	Azure Login Attempt With 2 Different User-Agents in a Short Time	Modification	Logic	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.101.02305	High	Outbound Traffic to Tor Exit Node	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AZU.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices

December 11 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.54053	Informational	Abuse of Role Credentials	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.K8S.107.71929	High	Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.107.1929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.512.56100	Low	Large Number of Failed Logins to Azure	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.108.32872	Informational	Multiple New Instances Launched in a Short Period by a Specific User	Modification	Logic Severity	Low	Informational	AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.106.00673	Low	Outbound Traffic From DB Ports to Internet Destination	Modification	Logic Severity	Medium	Low	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration
D9.AWS.0.83805	Informational	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AZU.105.17551	High	Port Scanning of an Internal Asset	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.K8S.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.101.50079	Informational	Security Group Modification	Modification	Logic Severity	Medium	Informational	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.101.97471	Low	Suspicious Outbound Traffic to a Phishing Server	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices

November 28 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.54053	Informational	Abuse of Role Credentials	New				AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.AWS.502.75889	High	Crypto mining terms have been identified	New				AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.502.73254	Low	EC2 created in multiple regions	New				AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AZU.107.71929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AZU.512.56100	Low	Large Number of Failed Logins to Azure	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.512.69098	Critical	Login Attempt to Azure From a Malicious IP Address	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AZU.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.502.35353	Medium	Overly-Permissive SNS Policy	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.K8S.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.K8S.522.65125	Low	Suspicious NTP Packets Volume From a Kubernetes Pod	Modification	Name Logic	Suspicious NTP Packets Volume Per Session From a Kubernetes Pod	Suspicious NTP Packets Volume From a Kubernetes Pod	Kubernetes CloudGuard Best Practices
D9.AWS.108.63748	High	Unsecured Task Definition Created - hostPath	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.85090	High	Unsecured Task Definition Created - Env Var and Command	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.502.56156	Informational	User Data has been modified	New				AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.104.99097	High	Abuse of Access Token Generated by STS Dedicated For Lambda	Removal				AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.104.50303	High	Abuse of Access Token Generated by STS Dedicated For EC2	Removal				AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.AWS.108.40808	Critical	Abuse of Access Token Generated by STS Dedicated for ECS	Removal				AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.55223	Critical	Abuse of Access Token Generated by STS Dedicated For Kubernetes Node Group	Removal				Kubernetes CloudGuard Best Practices
D9.AWS.108.13381	Critical	Abuse of Access Token Generated by STS Dedicated For Kubernetes Pod	Removal				AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.87418	Low	Container Deleted	Removal				Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.80640	Informational	Container Created	Removal				Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure MITRE ATT&CK ™ - Execution Azure CloudGuard Serverless Azure CloudGuard Best Practices

November 13 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AZU.512.37886	Low	Function Bindings Modified	Modification	Logic	Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.107.71929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.K8S.106.00673	Medium	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AZU.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices

November 07 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AZU.105.14069	Low	Internal Rejected Traffic	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.K8S.106.00673	Medium	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AZU.107.09562	Medium	Outbound Traffic From a VPC to an Internet Destination Using RDP	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.K8S.105.87085	Medium	Ping Sweep Activity From Within a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices

November 06 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AZU.105.14069	Low	Internal Rejected Traffic	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.AWS.105.14069	Low	Internal Rejected Traffic	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.19248	High	K8S Pod Access to Metadata	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.108.97652	Medium	K8S SSH Access to Nodes From Pods	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.K8S.106.00673	Medium	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.106.00673	Medium	Outbound Traffic From DB Ports to Internet Destination	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.107.22364	Low	Outbound Traffic From VPC to Internet Destination Using SMB	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.0.83805	Informational	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AZU.107.09562	Medium	Outbound Traffic From a VPC to an Internet Destination Using RDP	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.107.09562	Informational	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.98731	Low	Outbound Traffic Suspected as Cryptomining Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.02305	High	Outbound Traffic to Tor Exit Node	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.04785	Medium	Suspicious Outbound Traffic to a Suspected CnC Server	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.K8S.105.87085	Medium	Ping Sweep Activity From Within a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.105.54069	High	Port Scan of Internal Asset From ECS	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.107.09957	Low	Suspicious DNS Packet Size	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.101.97471	Low	Suspicious Outbound Traffic to a Phishing Server	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.54497	High	Unsecured Task Definition Created - Dangerous Capabilities	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.64899	Medium	Unusual Exposed Ports on Instance	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.K8S.108.98731	Low	Outbound Traffic From a Kubernetes Cluster Suspected as Cryptomining Activity	Removal		Kubernetes CloudGuard Best Practices

October 30 2022

Note: This is the first RN, Include all changes from 11.09.2022 to 30.10.2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.0.89909	Informational	GuardDuty Disabled	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.0.22599	Low	GuardDuty Suspended	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.102.06565	Medium	Administrator Permissions Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.74281	Low	Administrator Permissions Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.105.66271	Low	IAM Permissions Enumeration	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AZU.105.14069	Low	Internal Rejected Traffic	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.AWS.105.14069	Low	Internal Rejected Traffic	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.19248	High	K8S Pod Access to Metadata	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.108.97652	Medium	K8S SSH Access to Nodes From Pods	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.ALI.702.16860	Critical	Login Attempt to Alibaba console From a Malicious IP Address	Modification	Name	Login Attempt to AWS console From a Malicious IP Address	Login Attempt to Alibaba console From a Malicious IP Address	Alibaba CloudGuard Best Practices
D9.K8S.106.00673	Medium	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.106.00673	Medium	Outbound Traffic From DB Ports to Internet Destination	Modification	Logic			AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.107.22364	Low	Outbound Traffic From VPC to Internet Destination Using SMB	Modification	Logic			AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.0.83805	Informational	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.107.09562	Informational	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Logic			AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.98731	Low	Outbound Traffic Suspected as Cryptomining Activity	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.02305	High	Outbound Traffic to Tor Exit Node	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.04785	Medium	Suspicious Outbound Traffic to a Suspected CnC Server	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.K8S.105.87085	Medium	Ping Sweep Activity From Within a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.105.54069	High	Port Scan of Internal Asset From ECS	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.GCP.514.992293	Informational	Project IAM Policy Updated	Modification	Logic			GCP CloudGuard Account Activity
D9.GCP.514.62109	Informational	Service Account IAM Policy Updated	Modification	Logic			GCP CloudGuard Account Activity
D9.AZU.512.41592	Low	Successful Login Without MFA	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.107.09957	Low	Suspicious DNS Packet Size	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.108.44909	High	Suspicious ECS Task Has Been Executed	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution
D9.AWS.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.101.97471	Low	Suspicious Outbound Traffic to a Phishing Server	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.83241	High	Unsecured Task Definition Created - Privileged Container	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.64899	Medium	Unusual Exposed Ports on Instance	Modification	Logic			AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices

CloudGuard Dome9 Release Notes

CloudGuard Intelligence Updates

April 18 2024

April 02 2024

February 14 2024

July 03 2023

June 18 2023

May 28 2023

April 23 2023

March 30 2023

March 29 2023

March 20 2023

March 05 2023

February 19 2023

February 05 2023

January 22 2023

January 16 2023

January 15 2023

December 25 2022

December 11 2022

November 28 2022

November 13 2022

November 07 2022

November 06 2022

October 30 2022