CloudGuard Intelligence Updates
Â
- 1 November 11 2024
- 2 November 04 2024
- 3 October 16 2024
- 4 October 07 2024
- 5 September 30 2024
- 6 September 16 2024
- 7 September 05 2024
- 8 August 11 2024
- 9 August 06 2024
- 10 July 24 2024
- 11 July 04 2024
- 12 June 24 2024
- 13 June 18 2024
- 14 June 17 2024
- 15 June 06 2024
- 16 May 27 2024
- 17 May 26 2024
- 18 May 21 2024
- 19 April 18 2024
- 20 April 02 2024
- 21 February 14 2024
- 22 July 03 2023
- 23 June 18 2023
- 24 May 28 2023
- 25 April 23 2023
- 26 March 30 2023
- 27 March 29 2023
- 28 March 20 2023
- 29 March 05 2023
- 30 February 19 2023
- 31 February 05 2023
- 32 January 22 2023
- 33 January 16 2023
- 34 January 15 2023
- 35 December 25 2022
- 36 December 11 2022
- 37 November 28 2022
- 38 November 13 2022
- 39 November 07 2022
- 40 November 06 2022
- 41 October 30 2022
November 11 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | Crypto mining terms have been identified | Modification |
| Â | Â | D9.AWS.502.75889 |
|
November 04 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | AWS Outbound Traffic from DB Ports to Internet Destination | Modification |
|
|
| D9.AWS.106.00673 |
| |
Medium | AWS Outbound Response from Server Remote Access Port to Malicious IP Address | Modification |
|
|
| D9.AWS.502.62800 |
| |
Critical | AWS Outbound Communication from Server DB Port to Malicious IP Address | Modification |
|
|
| D9.AWS.502.54494 |
| |
Critical | AWS Outbound Communication from Server Filesharing Port to Malicious IP Address | Modification |
|
|
| D9.AWS.502.41540 |
| |
Critical | AWS Outbound Communication from Server Remote Access Port to Malicious IP Address | Modification |
|
|
| D9.AWS.502.95086 |
| |
Low | AWS Outbound Response from Server DB Port to Malicious IP Address | Modification |
|
|
| D9.AWS.502.62133 |
| |
Informational | AWS Outbound Response from Server Network Port to Malicious IP Address | Modification |
|
|
| D9.AWS.502.82906 |
| |
Low | AWS Outbound Response from Server Filesharing Port to Malicious IP Address | Modification |
|
|
| D9.AWS.502.86161 |
| |
High | AWS Inbound Accepted Traffic from Malicious IP Address | Modification |
|
|
| D9.AWS.107.1929 |
| |
Low | AWS Outbound Traffic Suspected as Cryptomining Activity | Modification |
|
|
| D9.AWS.108.98731 |
| |
High | AWS Outbound Traffic from VPC to Internet Destination using RDP | Modification |
|
|
| D9.AWS.107.09562 |
| |
High | AWS Outbound Traffic from VPC to Internet Destination using SMB | Modification |
|
|
| D9.AWS.107.22364 |
| |
Low | AWS Outbound Traffic to Compromised Server | Modification |
|
|
| D9.AWS.107.44344 |
| |
Low | Abuse of Unsuccessful AssumeRole | Modification |
| Â | Â | D9.ALI.702.19961 |
| |
Critical | AWS Outbound Traffic to TOR Exit Node | Modification |
|
|
| D9.AWS.107.02305 |
| |
High | AWS Suspicious Outbound Traffic to Suspected CnC Server | Modification |
|
|
| D9.AWS.107.04785 |
| |
Informational | AWS Security Group Modification | Modification |
|
|
| D9.AWS.101.50079 |
| |
Low | AWS Suspicious Outbound Traffic to Phishing Server | Modification |
|
|
| D9.AWS.101.97471 |
| |
Low | AdministratorAccess Permissions were attached to a Role | Modification |
| Â | Â | D9.ALI.702.06360 |
| |
Low | A User Was Added to an Admin Group | Modification |
| Â | Â | D9.AWS.0.28676 |
| |
Medium | A Policy with IAM CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity | Modification |
| Â | Â | D9.AWS.0.71403 |
| |
Medium | A Policy With S3 CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity | Modification |
| Â | Â | D9.AWS.0.38420 |
| |
Low | App Role Assigned to Service Principals or Users or Groups | Modification |
|
|
| D9.AZU.512.40041 |
| |
High | Auto Scale Instance Disabled | Modification |
| Â | Â | D9.AZU.512.82136 |
| |
Medium | Azure Credentials Were Added to an Azure AD Service Principal | Modification |
| Â | Â | D9.AZU.512.35494 |
| |
Low | An Existing IAM Policy Version Was Set to Default | Modification |
| Â | Â | D9.AWS.0.23097 |
| |
Informational | Attachment of User or Group or Role Policy | Modification |
|
|
| D9.AWS.0.17234 |
| |
Medium | Access Key Status Changed to Active or Inactive | Modification |
|
|
| D9.AWS.0.35359 |
| |
Low | AdministratorAccess Permissions Attached to a Role | Modification |
| Â | Â | D9.AWS.102.06361 |
| |
Low | Access Key Created | Modification |
| Â | Â | D9.AWS.104.71471 |
| |
Low | AdministratorAccess Permissions Attached to a User | Modification |
| Â | Â | D9.AWS.0.49438 |
| |
Critical | Azure Outbound Communication from Server DB Port to Malicious IP Address | Modification |
|
|
| D9.AZU.512.64183 |
| |
High | Azure Inbound Accepted Traffic from Malicious IP Address | Modification |
|
|
| D9.AZU.107.71929 |
| |
Critical | Azure Outbound Communication from Server Filesharing Port to Malicious IP Address | Modification |
|
|
| D9.AZU.512.86610 |
| |
Critical | Azure Outbound Communication from Server Remote Access Port to Malicious IP Address | Modification |
|
|
| D9.AZU.512.68557 |
| |
Low | Azure Outbound Response from Server DB Port to Malicious IP Address | Modification |
|
|
| D9.AZU.512.25894 |
| |
Low | Azure Outbound Response from Server Filesharing Port to Malicious IP Address | Modification |
|
|
| D9.AZU.512.25639 |
| |
Low | Azure Outbound Response from Server Remote Access Port to Malicious IP Address | Modification |
|
|
| D9.AZU.512.67901 |
| |
Low | Azure Outbound Traffic to Compromised Server | Modification |
|
|
| D9.AZU.512.42349 |
| |
Informational | Azure Outbound Traffic to Malicious IP Addresses | Modification |
|
|
| D9.AZU.512.86161 |
| |
Informational | CodeCommit GitPull Request | Modification |
| Â | Â | D9.AWS.502.29977 |
| |
Informational | Azure Security Group Modification | Modification |
|
|
| D9.AZU.512.93662 |
| |
High | Azure Outbound Traffic from VPC to Internet Destination using RDP | Modification |
|
|
| D9.AZU.512.09562 |
| |
Informational | Discovery operation using multiple Describe or List APIs | Modification |
|
|
| D9.AWS.502.28997 |
| |
High | GCP Inbound Accepted Traffic from Malicious IP Address | Modification |
|
|
| D9.GCP.515.44354 |
| |
Critical | Azure Outbound Traffic to TOR Exit Node | Modification |
|
|
| D9.AZU.101.02305 |
| |
Medium | External DescribeVpcs Request | Modification |
| Â | Â | D9.AWS.502.49684 |
| |
High | Inbound Accepted Traffic to Kubernetes Cluster from Malicious IP Address | Modification |
|
|
| D9.K8S.107.71929 |
| |
High | GCP Outbound Traffic from VPC to Internet Destination using RDP | Modification |
|
|
| D9.GCP.515.45774 |
| |
Critical | GCP Outbound Traffic to Malicious IP Addresses | Modification |
|
|
| D9.GCP.515.40828 |
| |
Critical | GCP Outbound Traffic to TOR Exit Node | Modification |
|
|
| D9.GCP.515.47515 |
| |
Medium | K8S SSH Access to Nodes from Pods | Modification |
|
|
| D9.AWS.108.97652 |
| |
Critical | EC2 AMI is made public in AWS | Modification |
|
|
| D9.AWS.100.57034 |
| |
Critical | Outbound Kubernetes Traffic to Malicious IP Addresses | Modification |
|
|
| D9.K8S.522.86159 |
| |
High | Outbound Traffic to Internet Destination from DB Ports within Kubernetes Cluster | Modification |
|
|
| D9.K8S.106.00673 |
| |
Medium | Outbound Traffic from Kubernetes Cluster to Internet Destination Using SSH | Modification |
|
|
| D9.K8S.522.83805 |
| |
High | Brute-force Attack on an S3 Bucket | Modification |
| Â | Â | D9.AWS.108.49195 |
| |
Critical | Outbound Traffic to TOR Exit Node from within Kubernetes Cluster | Modification |
|
|
| D9.K8S.522.02305 |
| |
Low | IAM Permissions Enumeration | Modification |
| Â | Â | D9.AWS.105.66271 |
| |
Informational | Function Created | Modification |
| Â | Â | D9.AZU.512.14996 |
| |
Medium | Lambda DoS | Modification |
| Â | Â | D9.AWS.108.32796 |
| |
Medium | Lambda Layer Was Added From an External Account | Modification |
| Â | Â | D9.AWS.107.92598 |
| |
Medium | IAM Policy Allowing Privilege Escalation via EC2 Service | Modification |
| Â | Â | D9.AWS.102.25662 |
| |
Low | Large Number of Failed Logins to Azure | Modification |
| Â | Â | D9.AZU.512.56100 |
| |
Medium | Ping Sweep Activity | Modification |
| Â | Â | D9.AWS.105.87086 |
| |
Medium | Overly-Permissive Policy Attached to an SES Identity | Modification |
| Â | Â | D9.AWS.108.27256 |
| |
Low | Password Policy Change | Modification |
| Â | Â | D9.AWS.108.42542 |
| |
Medium | Overly-Permissive SQS Policy | Modification |
| Â | Â | D9.AWS.108.88304 |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â | D9.GCP.515.48951 |
| |
Medium | Overly-Permissive Lambda Permission | Modification |
| Â | Â | D9.AWS.108.80248 |
| |
Informational | Port Scanning from the Internet | Modification |
| Â | Â | D9.AWS.502.49424 |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â | D9.AZU.512.17551 |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â | D9.AWS.105.7551 |
| |
High | Port Scan of Internal Asset From ECS | Modification |
| Â | Â | D9.AWS.105.54069 |
| |
Low | S3 Bucket Object Collection Pattern | Modification |
| Â | Â | D9.AWS.502.81184 |
| |
High | RDS Instance Password Changed | Modification |
| Â | Â | D9.AWS.0.88439 |
| |
Low | S3 Objects Deleted | Modification |
|
|
| D9.AWS.108.93965 |
| |
Informational | Role Disassociated from Instance | Modification |
| Â | Â | D9.AWS.0.11261 |
| |
High | RDS Instance Publicly Accessible | Modification |
| Â | Â | D9.AWS.108.67850 |
| |
Low | S3 Bucket Configurations Deleted | Modification |
| Â | Â | D9.AWS.0.90316 |
| |
Medium | S3 Bucket Versioning Suspended | Modification |
| Â | Â | D9.AWS.108.26846 |
| |
Low | Several Failed Logins Attempts Followed by a Successful Login to Your AWS Console | Modification |
| Â | Â | D9.AWS.104.18467 |
| |
Critical | Successful API Request Originated From a Tor Exit Node | Modification |
| Â | Â | D9.AWS.108.44333 |
| |
Low | Successful Console Logins From More Than One User-Agent | Modification |
| Â | Â | D9.AWS.104.70939 |
| |
Low | Suspicious DNS Packet Size | Modification |
| Â | Â | D9.GCP.515.54560 |
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
| Â | Â | D9.GCP.515.80600 |
| |
Low | Suspicious NTP Packet Size | Modification |
| Â | Â | D9.GCP.515.61003 |
| |
Low | Suspicious DNS Packet Size | Modification |
| Â | Â | D9.AWS.107.09957 |
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â | D9.GCP.515.97764 |
| |
Critical | Unauthorized actions under tenant scope | Modification |
|
|
| D9.AZU.512.23090 |
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
| Â | Â | D9.AWS.107.37118 |
| |
High | Suspicious StartSession Event Was Triggered | Modification |
| Â | Â | D9.AWS.108.25508 |
| |
Low | Suspicious NTP Packet Size | Modification |
| Â | Â | D9.AWS.107.31878 |
| |
High | Temporary Credentials Created From Permanent User | Modification |
| Â | Â | D9.AWS.103.40436 |
| |
High | Unsecured Task Definition Created - hostPath | Modification |
| Â | Â | D9.AWS.108.63748 |
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â | D9.AWS.107.65125 |
| |
Low | Suspicious NTP Packet Size | Modification |
| Â | Â | D9.AZU.107.31878 |
| |
High | Unsecured Task Definition Created - Dangerous Capabilities | Modification |
| Â | Â | D9.AWS.108.54497 |
|
October 16 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | Crypto mining terms have been identified | Modification |
| Â | Â | D9.AWS.502.75889 |
|
October 07 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Medium | S3 Bucket Server Access Logs Disabled | New | Â | Â | Â | D9.AWS.103.87181 |
| |
Informational | CloudFront Function Created | New | Â | Â | Â | D9.AWS.105.25835 |
| |
Critical | EC2 AMI is made public in AWS. | New | Â | Â | Â | D9.AWS.100.57034 |
| |
High | Anomalous Login to the Microsoft Entra Connect Synchronization Account | Modification |
|
|
| D9.AZU.512.43406 |
|
September 30 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | Exploiting elevated user access Administrator role | Modification |
|
|
| D9.AZU.512.56418 |
|
September 16 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | Multitenant Access Configured for Azure App | Modification |
| Â | Â | D9.AZU.512.95565 |
| |
High | Admin Permissions Granted to AKS Cluster Service Account | Modification |
| Â | Â | D9.AZU.512.93543 |
|
September 05 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | User Assigned as Subscription Owner | New | Â | Â | Â | D9.AZU.512.63813 |
| |
High | Multitenant Access Configured for Azure App | New | Â | Â | Â | D9.AZU.512.95565 |
| |
High | Admin Permissions Granted to AKS Cluster Service Account | New | Â | Â | Â | D9.AZU.512.93543 |
| |
None | Medium | General Guard Duty Rule | Removal | Â | Â | Â | None |
|
August 11 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | EXPLOITING ELEVATED USER ACCESS ADMINISTRATOR ROLE | Modification |
|
|
| D9.AZU.512.56418 |
|
August 06 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | Azure Firewall Rules Changed | New | Â | Â | Â | D9.AZU.512.87013 |
| |
Low | Azure Active Directory PowerShell Sign-In | New | Â | Â | Â | D9.AZU.512.65751 |
| |
High | S3 ACL Enumeration Attack | New | Â | Â | Â | D9.AWS.502.48632 |
| |
Low | Write Permissions Added to Service Principal | New | Â | Â | Â | D9.AZU.512.59482 |
|
July 24 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Critical | Suspicious Automation Tool Detected | Modification |
| Â | Â | D9.AZU.512.73899 |
|
July 04 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Low | Azure Outbound Response from an internal server file sharing port to a malicious IP | Modification |
|
|
| D9.AZU.512.25639 |
| |
Low | Azure Outbound Response from a Server DB port to a malicious IP | Modification |
|
|
| D9.AZU.512.25894 |
| |
Critical | Azure Outbound communication from a Server DB port to a malicious IP | Modification |
|
|
| D9.AZU.512.64183 |
| |
Low | Outbound Traffic to a Compromised Server | Modification |
| Â | Â | D9.AZU.512.42349 |
| |
Critical | Azure Outbound communication from an internal server file sharing port to a malicious IP | Modification |
|
|
| D9.AZU.512.86610 |
| |
Informational | Azure General Outbound Traffic to a malicious IP | Modification |
|
|
| D9.AZU.512.86161 |
| |
Low | Azure Outbound Response from internal server remote access port to a malicious IP | Modification |
|
|
| D9.AZU.512.67901 |
| |
Critical | Azure Outbound communication from internal server remote access port to a malicious IP | Modification |
|
|
| D9.AZU.512.68557 |
|
June 24 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Informational | Azure Compute SSH Key pair Generated | New | Â | Â | Â | D9.AZU.512.78077 |
| |
Low | Azure File Share modified. | New | Â | Â | Â | D9.AZU.512.91020 |
| |
Informational | AZU General Outbound Traffic to a malicious IP | Modification |
|
|
| D9.AZU.512.86161 |
| |
Low | Azure Firewall Deleted | New | Â | Â | Â | D9.AZU.512.12198 |
| |
Informational | Azure Compute SSH Key pair deleted | New | Â | Â | Â | D9.AZU.512.51624 |
| |
Informational | Outbound Response from a Server Network Port to a Malicious IP | Modification |
|
|
| D9.AWS.502.82906 |
| |
Critical | Azure Network Watcher was created or modified | New | Â | Â | Â | D9.AZU.512.21549 |
| |
Critical | Outbound Communication from a Server Remote Access Port to a Malicious IP | Modification |
| Â | Â | D9.AWS.502.95086 |
| |
Low | Azure managed disks snapshots were modified. | New | Â | Â | Â | D9.AZU.512.47677 |
| |
Low | Azure Service Principal added | New | Â | Â | Â | D9.AZU.512.15433 |
| |
Medium | Outbound Response from a Server Remote Access Port to a Malicious IP | Modification |
| Â | Â | D9.AWS.502.62800 |
| |
D9.AWS.502.89983 | Critical | Outbound Communication from a Server Network Port to a Malicious IP | Removal | Â | Â | Â | D9.AWS.502.89983 |
|
June 18 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Critical | Suspicious Automation Tool Detected | New | Â | Â | Â | D9.AZU.512.73899 |
| |
Low | Outbound Traffic to a Compromised Server | New | Â | Â | Â | D9.AZU.512.42349 |
|
June 17 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Critical | AZU General Outbound Traffic to a malicious IP | New | Â | Â | Â | D9.AZU.512.86161 |
| |
Low | AZU Outbound Response from a Server DB port to a malicious IP | New | Â | Â | Â | D9.AZU.512.25894 |
| |
Low | AZU Outbound Response from internal server remote access port to a malicious IP | New | Â | Â | Â | D9.AZU.512.67901 |
| |
Low | AZU Outbound Response from an internal server file sharing port to a malicious IP | New | Â | Â | Â | D9.AZU.512.25639 |
| |
Critical | AZU Outbound communication from a Server DB port to a malicious IP | New | Â | Â | Â | D9.AZU.512.64183 |
| |
Critical | AZU Outbound communication from an internal server file sharing port to a malicious IP | New | Â | Â | Â | D9.AZU.512.86610 |
| |
Critical | AZU Outbound communication from internal server remote access port to a malicious IP | New | Â | Â | Â | D9.AZU.512.68557 |
| |
Critical | Outbound Communication from a Server File-sharing Port to a Malicious IP | New | Â | Â | Â | D9.AWS.502.41540 |
| |
Critical | Outbound Communication from a Server DB Port to a Malicious IP | New | Â | Â | Â | D9.AWS.502.54494 |
| |
Critical | Outbound Communication from a Server Network Port to a Malicious IP | New | Â | Â | Â | D9.AWS.502.89983 |
| |
Critical | Outbound Communication from a Server Remote Access Port to a Malicious IP | New | Â | Â | Â | D9.AWS.502.95086 |
| |
Medium | Outbound Response from a Server Remote Access Port to a Malicious IP | New | Â | Â | Â | D9.AWS.502.62800 |
| |
Low | Outbound Response from a Server File-sharing Port to a Malicious IP | New | Â | Â | Â | D9.AWS.502.86161 |
| |
Low | Outbound Response from a Server Network Port to a Malicious IP | New | Â | Â | Â | D9.AWS.502.82906 |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â | D9.AWS.105.7551 |
| |
Low | Outbound Response from a Server DB Port to a Malicious IP | New | Â | Â | Â | D9.AWS.502.62133 |
| |
D9.AWS.107.86159 | Critical | Outbound Traffic to Malicious IP Addresses | Removal | Â | Â | Â | D9.AWS.107.86159 |
|
D9.AZU.107.86159 | Critical | Outbound Traffic to Malicious IP Addresses | Removal | Â | Â | Â | D9.AZU.107.86159 |
|
June 06 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Medium | A Microsoft Entra Custom Role Was Created with Owner Permissions | New | Â | Â | Â | D9.AZU.512.97932 |
| |
Informational | Admin permissions attached to a User | New | Â | Â | Â | D9.AZU.512.38978 |
| |
Informational | New User Created | New | Â | Â | Â | D9.AZU.512.23181 |
| |
Low | A Role Has Been Updated | New | Â | Â | Â | D9.AZU.512.55860 |
| |
Informational | Admin permissions attached to a Group | New | Â | Â | Â | D9.AZU.512.80236 |
| |
Low | An Azure custom role was created with permissions to Active Directory | New | Â | Â | Â | D9.AZU.512.60844 |
| |
Low | An Azure custom role was created with full action permissions | New | Â | Â | Â | D9.AZU.512.64788 |
| |
Informational | SQL database Transparent Data Encryption Modified | New | Â | Â | Â | D9.AZU.512.39261 |
| |
Informational | Blob Versioning were Disabled | New | Â | Â | Â | D9.AZU.512.56218 |
| |
Medium | Company settings were modified | New | Â | Â | Â | D9.AZU.512.94460 |
| |
Informational | Network Security Groups were created or updated | New | Â | Â | Â | D9.AZU.512.47901 |
| |
Low | Security info was changed | New | Â | Â | Â | D9.AZU.512.84822 |
| |
Informational | Security Group rule Modification | New | Â | Â | Â | D9.AZU.512.93662 |
| |
Informational | Network Security Groups were deleted | New | Â | Â | Â | D9.AZU.512.46481 |
| |
Informational | User Added to a Group | New | Â | Â | Â | D9.AZU.512.54312 |
| |
Informational | User Login Profile Updated | New | Â | Â | Â | D9.AZU.512.21188 |
| |
Informational | Azure Virtual Network was Created or Modified. | New | Â | Â | Â | D9.AZU.512.78321 |
| |
Low | Azure Virtual Network Deleted. | New | Â | Â | Â | D9.AZU.512.61204 |
|
May 27 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Low | Security info was changed | New | Â | Â | Â | D9.AZU.512.84822 |
| |
Low | Security info Deleted | New | Â | Â | Â | D9.AZU.512.21983 |
| |
Medium | User cancelled security info registration | New | Â | Â | Â | D9.AZU.512.37384 |
| |
High | Admin deleted security info | New | Â | Â | Â | D9.AZU.512.20609 |
| |
Medium | Admin updated security info | New | Â | Â | Â | D9.AZU.512.85015 |
|
May 26 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Low | Create or Update Virtual Network Subnet | New | Â | Â | Â | D9.AZU.512.52853 |
| |
High | Auto Scale Instance Disabled | New | Â | Â | Â | D9.AZU.512.82136 |
| |
Low | Azure File Share deleted | New | Â | Â | Â | D9.AZU.512.77122 |
| |
Medium | AKS Cluster Deleted | New | Â | Â | Â | D9.AZU.512.13719 |
| |
Medium | Create or Update Virtual Machine | New | Â | Â | Â | D9.AZU.512.99000 |
| |
Low | NAT Gateway Created or Updates | New | Â | Â | Â | D9.AZU.512.31736 |
| |
High | Network Firewall Diagnostic Setting Modified | New | Â | Â | Â | D9.AZU.512.50301 |
| |
Low | A Container App Instance Has Been Updated | New | Â | Â | Â | D9.AZU.512.50341 |
|
May 21 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Critical | Conditional Access Policy Deletion | New | Â | Â | Â | D9.AZU.512.60724 |
| |
Medium | Conditional Access Policy Modification | New | Â | Â | Â | D9.AZU.512.16512 |
|
April 18 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
High | Azure SUPERMAN Login | Modification |
| Â | Â | D9.AZU.512.21827 |
|
April 02 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Critical | Active Directory high-privileged role assigned to non-user entity | New | Â | Â | Â | D9.AZU.512.15964 |
| |
High | Elevated Azure Graph API permissions granted | New | Â | Â | Â | D9.AZU.512.96515 |
| |
Critical | Unauthorized actions under tenant’s scope | New |  |  |  | D9.AZU.512.23090 |
| |
High | Exploiting elevated user access administrator role | New | Â | Â | Â | D9.AZU.512.56418 |
|
February 14 2024
GSL ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Rule ID | Affected Rulesets |
---|---|---|---|---|---|---|---|---|
Medium | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
|
|
| D9.K8S.522.83805 |
| |
Medium | Outbound Traffic to a Compromised Server From a Kubernetes Cluster | Modification |
|
|
| D9.K8S.522.44344 |
| |
D9.AWS.108.75279 | Informational | EKS Cluster Deleted | Removal | Â | Â | Â | D9.AWS.108.75279 |
|
D9.AWS.108.02076 | Medium | Lack of Service Account Usage in Kubernetes Node | Removal | Â | Â | Â | D9.AWS.108.02076 |
|
D9.AWS.108.12930 | Low | EKS Cluster Control Plane Logs Disabled | Removal | Â | Â | Â | D9.AWS.108.12930 |
|
D9.AWS.108.88809 | Informational | Fargate Profile Created For Cluster | Removal | Â | Â | Â | D9.AWS.108.88809 |
|
July 03 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Medium | Shared EBS Snapshot Was Copied by another AWS Account | Modification |
|
|
|
|
June 18 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Abuse of unsuccessful AssumeRole | Modification |
| Â | Â |
|
May 28 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | Discovery operation using multiple Describe / List APIs | Modification |
|
|
|
|
April 23 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
High | Access key used from multiple IPs | Modification |
| Â | Â |
|
March 30 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Medium | MFA failed attempts | Modification |
| Â | Â |
| |
Low | S3 Bucket Object Collection Pattern | Modification |
|
|
|
|
March 29 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | The trust policy of a role was modified to allow third party access | New | Â | Â | Â |
| |
Informational | CodeCommit GitPull Request | New | Â | Â | Â |
| |
Medium | MFA failed attempts | New | Â | Â | Â |
| |
High | Malicious Source Address Detected in SES or SNS | New | Â | Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
| |
High | S3 Bucket Object Collection Pattern | New | Â | Â | Â |
|
March 20 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Medium | External DescribeVpcs Request | New | Â | Â | Â |
| |
Medium | Multiple Describe APIs Detected | New | Â | Â | Â |
|
March 05 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | Account Password Policy Discovery | New | Â | Â | Â |
| |
Informational | Attach Role to Key Vault | New | Â | Â | Â |
| |
Informational | Failed Login Attempts to Your AZURE Console Using an Invalid Username or Password | New | Â | Â | Â |
| |
Informational | Security Group Modification | Modification |
| Â | Â |
| |
Low | Storage account key regenerate | New | Â | Â | Â |
| |
Critical | VPC Traffic Mirroring Session Created | New | Â | Â | Â |
|
February 19 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | GuardDuty Disabled | Modification |
| Â | Â |
| |
High | A Command Was Sent to All Managed Instances | Modification |
| Â | Â |
| |
Low | A Container Has Been Stopped Due to Absence of an Attached Foreground Process | Modification |
| Â | Â |
| |
Low | A Container Has Been Stopped Due to SIGKILL | Modification |
| Â | Â |
| |
Low | A Container Has Been Stopped Due to SIGSEGV | Modification |
| Â | Â |
| |
Low | A Container Has Been Stopped Due to SIGTERM | Modification |
| Â | Â |
| |
Low | A Container Has Been Stopped Due to Application Error or Incorrect Reference | Modification |
| Â | Â |
| |
Low | A New Overly-Permissive Policy Was Set to Default | Modification |
| Â | Â |
| |
Informational | Abuse of Role Credentials | Modification |
| Â | Â |
| |
Low | Abuse of Unsuccessful AssumeRole | Modification |
| Â | Â |
| |
Low | Abuse of unsuccessful AssumeRole | Modification |
| Â | Â |
| |
Low | Abuse of unsuccessful Role assignments | New | Â | Â | Â |
| |
Medium | Administrator Permissions Attached to a Role | Modification |
| Â | Â |
| |
Low | Administrator Permissions Attached to a User | Modification |
| Â | Â |
| |
Low | AdministratorAccess Permissions Attached to a Role | Modification |
| Â | Â |
| |
Low | AdministratorAccess Permissions Attached to a User | Modification |
| Â | Â |
| |
Low | AdministratorAccess Permissions were attached to a Role | Modification |
| Â | Â |
| |
Medium | Policy Containing All Resources Attached to a Role | Modification |
| Â | Â |
| |
Medium | Policy Containing All Resources Attached to a User | Modification |
| Â | Â |
| |
High | IAM Policy Allowing Privilege Escalation via SSM Service | Modification |
| Â | Â |
| |
Low | An Existing IAM Policy Version Was Set to Default | Modification |
| Â | Â |
| |
Informational | An Image Was Pushed to a Repository | Modification |
| Â | Â |
| |
Critical | An S3 object is Publicly Accessible | Modification |
| Â | Â |
| |
Low | Azure App Role Assigned to Service Principals/Users/Groups | Modification |
| Â | Â |
| |
Informational | Attach Role to Instance | Modification |
| Â | Â |
| |
Informational | Attach Role to Virtual machine | New | Â | Â | Â |
| |
Informational | Attachment of User/Group/Role Policy | Modification |
| Â | Â |
| |
High | Azure SUPERMAN Login | Modification |
| Â | Â |
| |
Medium | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
| Â | Â |
| |
High | Brute-force Attack on an S3 Bucket | Modification |
| Â | Â |
| |
Medium | A Policy with IAM CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity | Modification |
| Â | Â |
| |
Informational | Ciem Trigger Event | Modification |
| Â | Â |
| |
High | Crypto mining terms have been identified | Modification |
| Â | Â |
| |
Low | EC2 created in multiple regions | Modification |
| Â | Â |
| |
Informational | Failed Login Attempts to Your AWS Console Using an Invalid Username | Modification |
| Â | Â |
| |
Medium | FullAccess Permissions Attached to a Role | Modification |
| Â | Â |
| |
Medium | FullAccess Permissions Attached to a User | Modification |
| Â | Â |
| |
Medium | Wide-Permissions Policy Attached to a Role | Modification |
| Â | Â |
| |
Medium | Wide-Permissions Policy Attached to a User | Modification |
| Â | Â |
| |
Low | Function Bindings Modified | Modification |
| Â | Â |
| |
Low | IAM Permissions Enumeration | Modification |
| Â | Â |
| |
High | Image Scanning Disabled For Repository | Modification |
| Â | Â |
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
| Â | Â |
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
| Â | Â |
| |
High | Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address | Modification |
| Â | Â |
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
| Â | Â |
| |
Low | Internal Rejected Traffic | Modification |
| Â | Â |
| |
Low | Internal Rejected Traffic | Modification |
| Â | Â |
| |
Medium | K8S SSH Access to Nodes From Pods | Modification |
| Â | Â |
| |
Informational | Key Vault has been created | New | Â | Â | Â |
| |
Low | Large Number of Failed Logins to Azure | Modification |
| Â | Â |
| |
Low | Large Number of Failed Logins to AWS console | Modification |
| Â | Â |
| |
High | Login Attempt to Alibaba console From a Malicious IP Address | Modification |
| Â | Â |
| |
Low | Azure Login Attempt With 2 Different User-Agents in a Short Time | Modification |
| Â | Â |
| |
Low | Successful Console Logins From More Than One User-Agent | Modification |
| Â | Â |
| |
Informational | Multiple New Instances Launched in a Short Period by a Specific User | Modification |
| Â | Â |
| |
High | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
| Â | Â |
| |
High | Outbound Traffic From DB Ports to Internet Destination | Modification |
| Â | Â |
| |
High | Outbound Traffic From VPC to Internet Destination Using SMB | Modification |
| Â | Â |
| |
High | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
| Â | Â |
| |
High | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
| Â | Â |
| |
Low | Outbound Traffic Suspected as Cryptomining Activity | Modification |
| Â | Â |
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
| Â | Â |
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
| Â | Â |
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
High | Public S3 Bucket, Overly-Permissive Access Point Policy | Modification |
| Â | Â |
| |
High | Public S3 Bucket, Overly-Permissive Bucket Policy | Modification |
| Â | Â |
| |
Medium | Overly-Permissive IAM Policy Attached to a Role | Modification |
| Â | Â |
| |
Medium | Overly-Permissive IAM Policy Attached to a User | Modification |
| Â | Â |
| |
Medium | Overly-Permissive Lambda Permission | Modification |
| Â | Â |
| |
Medium | Overly-Permissive Trust Policy Attached to a Role | Modification |
| Â | Â |
| |
Medium | Overly-Permissive Policy Attached to an SES Identity | Modification |
| Â | Â |
| |
Medium | Overly-Permissive SNS Policy | Modification |
| Â | Â |
| |
Medium | Overly-Permissive SQS Policy | Modification |
| Â | Â |
| |
Low | Owner Added to a Group | New | Â | Â | Â |
| |
Low | Owner Removed from a Group | New | Â | Â | Â |
| |
Low | Password Policy Change | Modification |
| Â | Â |
| |
Informational | Permissions Modified For Blob | New | Â | Â | Â |
| |
Informational | Permissions Modified For Storage account | New | Â | Â | Â |
| |
Informational | Permissions Modified For Table | New | Â | Â | Â |
| |
Medium | Permissions Scanning Attempt | Modification |
| Â | Â |
| |
Medium | Ping Sweep Activity From Within a Kubernetes Pod | Modification |
| Â | Â |
| |
Medium | Ping Sweep Activity | Modification |
| Â | Â |
| |
High | Port Scan of Internal Asset From ECS | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
| Â | Â |
| |
Low | Privilege Escalation via Policy Version | Modification |
| Â | Â |
| |
High | RDS Instance Password Changed | Modification |
| Â | Â |
| |
High | RDS Instance Publicly Accessible | Modification |
| Â | Â |
| |
Informational | Role Detached from Virtual machine | New | Â | Â | Â |
| |
Medium | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
| Â | Â |
| |
High | Same User Login From Multiple Locations | Modification |
| Â | Â |
| |
Informational | Security Group Modification | Modification |
| Â | Â |
| |
High | Successful API Request Originated From a Suspicious User-Agent | Modification |
| Â | Â |
| |
Critical | Successful API Request Originated From a Malicious IP Address | Modification |
| Â | Â |
| |
Critical | Successful API Request Originated From a Malicious IP Address | Modification |
| Â | Â |
| |
High | Suspicious Command Was Sent to a Managed Instance | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packet Size From a Kubernetes Pod | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packets Volume From a Kubernetes Pod | Modification |
| Â | Â |
| |
High | Suspicious StartSession Event Was Triggered | Modification |
| Â | Â |
| |
Low | Suspicious Outbound Traffic to a Phishing Server | Modification |
| Â | Â |
| |
High | Public S3 Bucket, Overly-Permissive ACL | Modification |
| Â | Â |
| |
High | Unsecured PassRole Permission Was Applied to a Role | Modification |
| Â | Â |
| |
High | Unsecured PassRole Permission Was Applied to a User | Modification |
| Â | Â |
| |
High | Unsecured Repository Created | Modification |
| Â | Â |
| |
High | Unsecured Task Definition Created - Privileged Container | Modification |
| Â | Â |
| |
High | Unsecured Task Definition Created - hostPath | Modification |
| Â | Â |
| |
High | Unsecured Task Definition Created - Env Var and Command | Modification |
| Â | Â |
| |
Informational | User Data has been modified | Modification |
| Â | Â |
|
February 05 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Medium | Azure Admin Consent Was Launched | Modification |
| Â | Â |
| |
Medium | Policy Containing All Resources Attached to a Role | Modification |
|
|
|
| |
Critical | An S3 object is Publicly Accessible | Modification |
|
|
|
| |
Low | Azure App Role Assigned to Service Principals/Users/Groups | Modification |
| Â | Â |
| |
Medium | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
|
|
|
| |
Medium | Credentials Were Added to an Azure AD Application | Modification |
| Â | Â |
| |
Medium | Azure Credentials Were Added to an Azure AD Service Principal | Modification |
| Â | Â |
| |
Medium | FullAccess Permissions Attached to a Role | Modification |
| Â | Â |
| |
Medium | FullAccess Permissions Attached to a User | Modification |
| Â | Â |
| |
High | Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address | Modification |
| Â | Â |
| |
Medium | K8S Pod Access to Metadata | Modification |
|
|
|
| |
High | Access key used from multiple IPs | New | Â | Â | Â |
| |
Low | Outbound Traffic to a Compromised Server From a Kubernetes Cluster | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â |
| |
High | Suspicious EC2 Instance Without KeyPair Was Launched | Removal | Â | Â | Â |
|
January 22 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | A New Overly-Permissive Policy Was Set to Default | Modification |
| Â | Â |
| |
Low | Abuse of unsuccessful AssumeRole | Modification |
| Â | Â |
| |
Low | Policy Containing All Resources Attached to a Role | Modification |
|
|
|
| |
Medium | Policy Containing All Resources Attached to a User | Modification |
| Â | Â |
| |
High | An S3 object is Publicly Accessible | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a Role | Modification |
| Â | Â |
| |
Medium | FullAccess Permissions Attached to a User | Modification |
| Â | Â |
| |
Medium | Wide-Permissions Policy Attached to a Role | Modification |
| Â | Â |
| |
Medium | Wide-Permissions Policy Attached to a User | Modification |
| Â | Â |
| |
Low | Lambda Function Code Was Updated by an Entity Which Assumed a Role | Modification |
|
|
|
| |
High | Public S3 Bucket, Overly-Permissive Access Point Policy | Modification |
| Â | Â |
| |
High | Public S3 Bucket, Overly-Permissive Bucket Policy | Modification |
| Â | Â |
| |
Medium | Overly-Permissive IAM Policy Attached to a Role | Modification |
| Â | Â |
| |
Medium | Overly-Permissive IAM Policy Attached to a User | Modification |
| Â | Â |
| |
Medium | Overly-Permissive Lambda Permission | Modification |
| Â | Â |
| |
Medium | Overly-Permissive Trust Policy Attached to a Role | Modification |
| Â | Â |
| |
Medium | Overly-Permissive Policy Attached to an SES Identity | Modification |
|
|
|
| |
Medium | Overly-Permissive SQS Policy | Modification |
| Â | Â |
| |
Informational | Port Scanning from the Internet | New | Â | Â | Â |
| |
High | Public S3 Bucket, Overly-Permissive ACL | Modification |
| Â | Â |
| |
High | Unsecured PassRole Permission Was Applied to a User | Modification |
| Â | Â |
|
January 16 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | A Task on ECS Has Stopped Unexpectedly | Modification |
|
|
|
| |
Low | Abuse of Unsuccessful AssumeRole | Modification |
|
|
|
| |
Low | Abuse of unsuccessful AssumeRole | Modification |
|
|
|
| |
Low | AdministratorAccess Permissions Attached to a Role | Modification |
|
|
|
| |
Low | AdministratorAccess Permissions were attached to a Role | Modification |
|
|
|
| |
Informational | An Image Was Pushed to a Repository | Modification |
|
|
|
| |
Critical | An S3 object is Public Accessible | Modification |
|
|
|
| |
Low | Azure App Role Assigned to Service Principals/Users/Groups | Modification |
|
|
|
| |
High | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
|
|
|
| |
Informational | Blob Deleted | Modification |
|
|
|
| |
Informational | CloudWatch Log Group Created | Modification |
|
|
|
| |
Low | VPC Deleted | Modification |
|
|
|
| |
Critical | EBS Snapshot Permission Modified to Public Access | Modification |
|
|
|
| |
High | Shared EBS Snapshot Was Copied by an External Account | Modification |
|
|
|
| |
Informational | Failed Login Attempts to Your AWS Console Using an Invalid Username | Modification |
|
|
|
| |
Medium | FullAccess Permissions Attached to a User | Modification |
|
|
|
| |
Low | Function App Host Master Key Modified | Modification |
|
|
|
| |
Low | EKS Cluster Control Plane Logs Disabled | Modification |
|
|
|
| |
Low | Several Failed Logins Attempts Followed by a Successful Login to Your AWS Console | Modification |
|
|
|
| |
High | Login Attempt to AWS Console From a Malicious IP Address | Modification |
|
|
|
| |
High | Login Attempt to Alibaba console From a Malicious IP Address | Modification |
|
|
|
| |
High | Login Attempt to Azure From a Malicious IP Address | Modification |
|
|
|
| |
Low | Modification Subnet Attributes | Modification |
|
|
|
| |
High | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
|
|
|
| |
High | Outbound Traffic From DB Ports to Internet Destination | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using SMB | Modification |
|
|
|
| |
High | Outbound Traffic From a VPC to an Internet Destination Using RDP | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
|
|
|
| |
High | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster | Modification |
|
|
|
| |
Critical | Outbound Traffic to Tor Exit Node | Modification |
|
|
|
| |
High | Suspicious Outbound Traffic to a Suspected CnC Server | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Critical | Outbound Traffic to Malicious IP Addresses | Modification |
|
|
|
| |
Medium | Overly-Permissive Trust Policy Attached to a Role | Modification |
|
|
|
| |
Low | Password Policy Change | Modification |
|
|
|
| |
High | RDS Instance Publicly Accessible | Modification |
|
|
|
| |
Low | S3 Bucket Deleted | Modification |
|
|
|
| |
High | Series of Enumeration API Calls Executed in Several Regions | Modification |
|
|
|
| |
High | Suspicious StartSession Event Was Triggered | Modification |
|
|
|
|
January 15 2023
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
High | Azure SUPERMAN Login | Modification |
| Â | Â |
| |
Medium | Same User Login Attempt From Multiple Sources in a Short Period | Modification |
| Â | Â |
| |
Low | K8S Pod Access to Metadata | Modification |
|
|
|
| |
Informational | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
| Â | Â |
| |
Medium | Outbound Traffic From a VPC to an Internet Destination Using RDP | Modification |
| Â | Â |
| |
Medium | Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster | Modification |
|
|
|
| |
Medium | Outbound Traffic to a Compromised Server From a Kubernetes Cluster | Modification |
|
|
|
| |
Low | Suspicious Outbound Traffic to a CnC Server From a Kubernetes Cluster | Modification |
|
|
|
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packet Size From a Kubernetes Pod | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packets Volume From a Kubernetes Pod | Modification |
|
|
|
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â |
| |
Medium | Large Number of Failed Logins Followed by a Successful Login to Your Azure Account | Removal | Â | Â | Â |
|
December 25 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Function Bindings Modified | Modification |
| Â | Â |
| |
Low | Azure Login Attempt With 2 Different User-Agents in a Short Time | Modification |
| Â | Â |
| |
High | Outbound Traffic to Tor Exit Node | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packet Size | Modification |
| Â | Â |
|
December 11 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | Abuse of Role Credentials | Modification |
| Â | Â |
| |
High | Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address | Modification |
| Â | Â |
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
| Â | Â |
| |
Low | Large Number of Failed Logins to Azure | Modification |
| Â | Â |
| |
Informational | Multiple New Instances Launched in a Short Period by a Specific User | Modification |
|
|
|
| |
Low | Outbound Traffic From DB Ports to Internet Destination | Modification |
|
|
|
| |
Informational | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
| Â | Â |
| |
Informational | Security Group Modification | Modification |
|
|
|
| |
Low | Suspicious Outbound Traffic to a Phishing Server | Modification |
| Â | Â |
|
November 28 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | Abuse of Role Credentials | New | Â | Â | Â |
| |
High | Crypto mining terms have been identified | New | Â | Â | Â |
| |
Low | EC2 created in multiple regions | New | Â | Â | Â |
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
| Â | Â |
| |
Low | Large Number of Failed Logins to Azure | Modification |
| Â | Â |
| |
Critical | Login Attempt to Azure From a Malicious IP Address | Modification |
| Â | Â |
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
Medium | Overly-Permissive SNS Policy | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packets Volume From a Kubernetes Pod | Modification |
|
|
|
| |
High | Unsecured Task Definition Created - hostPath | Modification |
| Â | Â |
| |
High | Unsecured Task Definition Created - Env Var and Command | Modification |
| Â | Â |
| |
Informational | User Data has been modified | New | Â | Â | Â |
| |
High | Abuse of Access Token Generated by STS Dedicated For Lambda | Removal | Â | Â | Â |
| |
High | Abuse of Access Token Generated by STS Dedicated For EC2 | Removal | Â | Â | Â |
| |
Critical | Abuse of Access Token Generated by STS Dedicated for ECS | Removal | Â | Â | Â |
| |
Critical | Abuse of Access Token Generated by STS Dedicated For Kubernetes Node Group | Removal | Â | Â | Â |
| |
Critical | Abuse of Access Token Generated by STS Dedicated For Kubernetes Pod | Removal | Â | Â | Â |
| |
Low | Container Deleted | Removal | Â | Â | Â |
| |
Informational | Container Created | Removal | Â | Â | Â |
|
November 13 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Function Bindings Modified | Modification |
| Â | Â |
| |
High | Inbound Accepted Traffic From a Malicious IP Address | Modification |
| Â | Â |
| |
Medium | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
| Â | Â |
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
|
November 07 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Internal Rejected Traffic | Modification |
| Â | Â |
| |
Medium | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
| Â | Â |
| |
Medium | Outbound Traffic From a VPC to an Internet Destination Using RDP | Modification |
| Â | Â |
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
Medium | Ping Sweep Activity From Within a Kubernetes Pod | Modification |
| Â | Â |
| |
Medium | Ping Sweep Activity | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
|
November 06 2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Low | Internal Rejected Traffic | Modification |
| Â | Â |
| |
Low | Internal Rejected Traffic | Modification |
| Â | Â |
| |
High | K8S Pod Access to Metadata | Modification |
| Â | Â |
| |
Medium | K8S SSH Access to Nodes From Pods | Modification |
| Â | Â |
| |
Medium | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
| Â | Â |
| |
Medium | Outbound Traffic From DB Ports to Internet Destination | Modification |
| Â | Â |
| |
Low | Outbound Traffic From VPC to Internet Destination Using SMB | Modification |
| Â | Â |
| |
Informational | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
| Â | Â |
| |
Medium | Outbound Traffic From a VPC to an Internet Destination Using RDP | Modification |
| Â | Â |
| |
Informational | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
| Â | Â |
| |
Low | Outbound Traffic Suspected as Cryptomining Activity | Modification |
| Â | Â |
| |
High | Outbound Traffic to Tor Exit Node | Modification |
| Â | Â |
| |
Medium | Suspicious Outbound Traffic to a Suspected CnC Server | Modification |
| Â | Â |
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
Medium | Ping Sweep Activity From Within a Kubernetes Pod | Modification |
| Â | Â |
| |
Medium | Ping Sweep Activity | Modification |
| Â | Â |
| |
High | Port Scan of Internal Asset From ECS | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious Outbound Traffic to a Phishing Server | Modification |
| Â | Â |
| |
High | Unsecured Task Definition Created - Dangerous Capabilities | Modification |
| Â | Â |
| |
Medium | Unusual Exposed Ports on Instance | Modification |
| Â | Â |
| |
Low | Outbound Traffic From a Kubernetes Cluster Suspected as Cryptomining Activity | Removal | Â | Â | Â |
|
October 30 2022
Note: This is the first RN, Include all changes from 11.09.2022 to 30.10.2022
Rule ID | Severity | Rule Name | Change Type | Updated Content | Before | After | Affected Rulesets |
---|---|---|---|---|---|---|---|
Informational | GuardDuty Disabled | Modification |
| Â | Â |
| |
Low | GuardDuty Suspended | Modification |
| Â | Â |
| |
Medium | Administrator Permissions Attached to a Role | Modification |
| Â | Â |
| |
Low | Administrator Permissions Attached to a User | Modification |
| Â | Â |
| |
Low | IAM Permissions Enumeration | Modification |
| Â | Â |
| |
Low | Internal Rejected Traffic | Modification |
| Â | Â |
| |
Low | Internal Rejected Traffic | Modification |
| Â | Â |
| |
High | K8S Pod Access to Metadata | Modification |
| Â | Â |
| |
Medium | K8S SSH Access to Nodes From Pods | Modification |
| Â | Â |
| |
Critical | Login Attempt to Alibaba console From a Malicious IP Address | Modification |
|
|
|
| |
Medium | Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination | Modification |
| Â | Â |
| |
Medium | Outbound Traffic From DB Ports to Internet Destination | Modification |
| Â | Â |
| |
Low | Outbound Traffic From VPC to Internet Destination Using SMB | Modification |
| Â | Â |
| |
Informational | Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH | Modification |
| Â | Â |
| |
Informational | Outbound Traffic From VPC to Internet Destination Using RDP | Modification |
| Â | Â |
| |
Low | Outbound Traffic Suspected as Cryptomining Activity | Modification |
| Â | Â |
| |
High | Outbound Traffic to Tor Exit Node | Modification |
| Â | Â |
| |
Medium | Suspicious Outbound Traffic to a Suspected CnC Server | Modification |
| Â | Â |
| |
High | Outbound Traffic to Malicious IP Addresses | Modification |
| Â | Â |
| |
Medium | Ping Sweep Activity From Within a Kubernetes Pod | Modification |
| Â | Â |
| |
Medium | Ping Sweep Activity | Modification |
| Â | Â |
| |
High | Port Scan of Internal Asset From ECS | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset From a Kubernetes Pod | Modification |
| Â | Â |
| |
High | Port Scanning of an Internal Asset | Modification |
| Â | Â |
| |
Informational | Project IAM Policy Updated | Modification |
| Â | Â |
| |
Informational | Service Account IAM Policy Updated | Modification |
| Â | Â |
| |
Low | Successful Login Without MFA | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious DNS Packets Volume Per Session | Modification |
| Â | Â |
| |
High | Suspicious ECS Task Has Been Executed | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packet Size | Modification |
| Â | Â |
| |
Low | Suspicious NTP Packets Volume Per Session | Modification |
| Â | Â |
| |
Low | Suspicious Outbound Traffic to a Phishing Server | Modification |
| Â | Â |
| |
High | Unsecured Task Definition Created - Privileged Container | Modification |
| Â | Â |
| |
Medium | Unusual Exposed Ports on Instance | Modification |
| Â | Â |
|