CloudGuard Intelligence Updates

 

November 11 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AWS.502.75889

High

Crypto mining terms have been identified

Modification

  • Logic

 

 

D9.AWS.502.75889

  • None

  • None

  • None

November 04 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AWS.106.00673

High

AWS Outbound Traffic from DB Ports to Internet Destination

Modification

  • Name

  • Logic

  • Outbound Traffic From DB Ports to Internet Destination

  • AWS Outbound Traffic from DB Ports to Internet Destination

D9.AWS.106.00673

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR AWS All Rules

D9.AWS.502.62800

Medium

AWS Outbound Response from Server Remote Access Port to Malicious IP Address

Modification

  • Name

  • Logic

  • Outbound Response from a Server Remote Access Port to a Malicious IP

  • AWS Outbound Response from Server Remote Access Port to Malicious IP Address

D9.AWS.502.62800

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

  • CloudGuard CDR AWS All Rules

D9.AWS.502.54494

Critical

AWS Outbound Communication from Server DB Port to Malicious IP Address

Modification

  • Name

  • Logic

  • Outbound Communication from a Server DB Port to a Malicious IP

  • AWS Outbound Communication from Server DB Port to Malicious IP Address

D9.AWS.502.54494

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

  • CloudGuard CDR AWS All Rules

D9.AWS.502.41540

Critical

AWS Outbound Communication from Server Filesharing Port to Malicious IP Address

Modification

  • Name

  • Logic

  • Outbound Communication from a Server File-sharing Port to a Malicious IP

  • AWS Outbound Communication from Server Filesharing Port to Malicious IP Address

D9.AWS.502.41540

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

  • CloudGuard CDR AWS All Rules

D9.AWS.502.95086

Critical

AWS Outbound Communication from Server Remote Access Port to Malicious IP Address

Modification

  • Name

  • Logic

  • Outbound Communication from a Server Remote Access Port to a Malicious IP

  • AWS Outbound Communication from Server Remote Access Port to Malicious IP Address

D9.AWS.502.95086

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

  • CloudGuard CDR AWS All Rules

D9.AWS.502.62133

Low

AWS Outbound Response from Server DB Port to Malicious IP Address

Modification

  • Name

  • Logic

  • Outbound Response from a Server DB Port to a Malicious IP

  • AWS Outbound Response from Server DB Port to Malicious IP Address

D9.AWS.502.62133

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

  • CloudGuard CDR AWS All Rules

D9.AWS.502.82906

Informational

AWS Outbound Response from Server Network Port to Malicious IP Address

Modification

  • Name

  • Outbound Response from a Server Network Port to a Malicious IP

  • AWS Outbound Response from Server Network Port to Malicious IP Address

D9.AWS.502.82906

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

  • CloudGuard CDR AWS All Rules

D9.AWS.502.86161

Low

AWS Outbound Response from Server Filesharing Port to Malicious IP Address

Modification

  • Name

  • Logic

  • Outbound Response from a Server File-sharing Port to a Malicious IP

  • AWS Outbound Response from Server Filesharing Port to Malicious IP Address

D9.AWS.502.86161

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

  • CloudGuard CDR AWS All Rules

D9.AWS.107.1929

High

AWS Inbound Accepted Traffic from Malicious IP Address

Modification

  • Name

  • Logic

  • Inbound Accepted Traffic From a Malicious IP Address

  • AWS Inbound Accepted Traffic from Malicious IP Address

D9.AWS.107.1929

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • CloudGuard CDR AWS All Rules

D9.AWS.108.98731

Low

AWS Outbound Traffic Suspected as Cryptomining Activity

Modification

  • Name

  • Outbound Traffic Suspected as Cryptomining Activity

  • AWS Outbound Traffic Suspected as Cryptomining Activity

D9.AWS.108.98731

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR AWS All Rules

D9.AWS.107.09562

High

AWS Outbound Traffic from VPC to Internet Destination using RDP

Modification

  • Name

  • Logic

  • Outbound Traffic From VPC to Internet Destination Using RDP

  • AWS Outbound Traffic from VPC to Internet Destination using RDP

D9.AWS.107.09562

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Lateral Movement

  • CloudGuard CDR AWS All Rules

D9.AWS.107.22364

High

AWS Outbound Traffic from VPC to Internet Destination using SMB

Modification

  • Name

  • Logic

  • Outbound Traffic From VPC to Internet Destination Using SMB

  • AWS Outbound Traffic from VPC to Internet Destination using SMB

D9.AWS.107.22364

  • AWS CloudGuard Network Security

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Lateral Movement

  • CloudGuard CDR AWS All Rules

D9.AWS.107.44344

Low

AWS Outbound Traffic to Compromised Server

Modification

  • Name

  • Outbound Traffic to a Compromised Server

  • AWS Outbound Traffic to Compromised Server

D9.AWS.107.44344

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • CloudGuard CDR AWS All Rules

D9.ALI.702.19961

Low

Abuse of Unsuccessful AssumeRole

Modification

  • Logic

 

 

D9.ALI.702.19961

  • Alibaba CloudGuard Best Practices

  • CloudGuard CDR Alibaba All Rules

D9.AWS.107.02305

Critical

AWS Outbound Traffic to TOR Exit Node

Modification

  • Name

  • Outbound Traffic to Tor Exit Node

  • AWS Outbound Traffic to TOR Exit Node

D9.AWS.107.02305

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • CloudGuard CDR AWS All Rules

D9.AWS.107.04785

High

AWS Suspicious Outbound Traffic to Suspected CnC Server

Modification

  • Name

  • Suspicious Outbound Traffic to a Suspected CnC Server

  • AWS Suspicious Outbound Traffic to Suspected CnC Server

D9.AWS.107.04785

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR AWS All Rules

D9.AWS.101.50079

Informational

AWS Security Group Modification

Modification

  • Name

  • Security Group Modification

  • AWS Security Group Modification

D9.AWS.101.50079

  • AWS CloudGuard Network Security

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR AWS All Rules

D9.AWS.101.97471

Low

AWS Suspicious Outbound Traffic to Phishing Server

Modification

  • Name

  • Suspicious Outbound Traffic to a Phishing Server

  • AWS Suspicious Outbound Traffic to Phishing Server

D9.AWS.101.97471

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR AWS All Rules

D9.ALI.702.06360

Low

AdministratorAccess Permissions were attached to a Role

Modification

  • Logic

 

 

D9.ALI.702.06360

  • Alibaba CloudGuard Best Practices

  • CloudGuard CDR Alibaba All Rules

D9.AWS.0.28676

Low

A User Was Added to an Admin Group

Modification

  • Logic

 

 

D9.AWS.0.28676

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Account Activity

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Persistence

  • CloudGuard CDR AWS All Rules

D9.AWS.0.71403

Medium

A Policy with IAM CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity

Modification

  • Logic

 

 

D9.AWS.0.71403

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR AWS All Rules

D9.AWS.0.38420

Medium

A Policy With S3 CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity

Modification

  • Logic

 

 

D9.AWS.0.38420

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR AWS All Rules

D9.AZU.512.40041

Low

App Role Assigned to Service Principals or Users or Groups

Modification

  • Name

  • Azure App Role Assigned to Service Principals/Users/Groups

  • App Role Assigned to Service Principals or Users or Groups

D9.AZU.512.40041

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR Azure All Rules

D9.AZU.512.82136

High

Auto Scale Instance Disabled

Modification

  • Logic

 

 

D9.AZU.512.82136

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

  • CloudGuard CDR Azure All Rules

D9.AZU.512.35494

Medium

Azure Credentials Were Added to an Azure AD Service Principal

Modification

  • Logic

 

 

D9.AZU.512.35494

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • CloudGuard CDR Azure All Rules

D9.AWS.0.23097

Low

An Existing IAM Policy Version Was Set to Default

Modification

  • Logic

 

 

D9.AWS.0.23097

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR AWS All Rules

D9.AWS.0.17234

Informational

Attachment of User or Group or Role Policy

Modification

  • Name

  • Attachment of User/Group/Role Policy

  • Attachment of User or Group or Role Policy

D9.AWS.0.17234

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Account Activity

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR AWS All Rules

D9.AWS.0.35359

Medium

Access Key Status Changed to Active or Inactive

Modification

  • Name

  • Logic

  • Access Key Status Changed to Active/Inactive

  • Access Key Status Changed to Active or Inactive

D9.AWS.0.35359

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Key Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.102.06361

Low

AdministratorAccess Permissions Attached to a Role

Modification

  • Logic

 

 

D9.AWS.102.06361

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.AWS.104.71471

Low

Access Key Created

Modification

  • Logic

 

 

D9.AWS.104.71471

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Key Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Persistence

  • CloudGuard CDR AWS All Rules

D9.AWS.0.49438

Low

AdministratorAccess Permissions Attached to a User

Modification

  • Logic

 

 

D9.AWS.0.49438

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.AZU.512.64183

Critical

Azure Outbound Communication from Server DB Port to Malicious IP Address

Modification

  • Name

  • Azure Outbound communication from a Server DB port to a malicious IP

  • Azure Outbound Communication from Server DB Port to Malicious IP Address

D9.AZU.512.64183

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR Azure All Rules

D9.AZU.107.71929

High

Azure Inbound Accepted Traffic from Malicious IP Address

Modification

  • Name

  • Logic

  • Inbound Accepted Traffic From a Malicious IP Address

  • Azure Inbound Accepted Traffic from Malicious IP Address

D9.AZU.107.71929

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • CloudGuard CDR Azure All Rules

D9.AZU.512.86610

Critical

Azure Outbound Communication from Server Filesharing Port to Malicious IP Address

Modification

  • Name

  • Azure Outbound communication from an internal server file sharing port to a malicious IP

  • Azure Outbound Communication from Server Filesharing Port to Malicious IP Address

D9.AZU.512.86610

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR Azure All Rules

D9.AZU.512.68557

Critical

Azure Outbound Communication from Server Remote Access Port to Malicious IP Address

Modification

  • Name

  • Azure Outbound communication from internal server remote access port to a malicious IP

  • Azure Outbound Communication from Server Remote Access Port to Malicious IP Address

D9.AZU.512.68557

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR Azure All Rules

D9.AZU.512.25894

Low

Azure Outbound Response from Server DB Port to Malicious IP Address

Modification

  • Name

  • Azure Outbound Response from a Server DB port to a malicious IP

  • Azure Outbound Response from Server DB Port to Malicious IP Address

D9.AZU.512.25894

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR Azure All Rules

D9.AZU.512.25639

Low

Azure Outbound Response from Server Filesharing Port to Malicious IP Address

Modification

  • Name

  • Azure Outbound Response from an internal server file sharing port to a malicious IP

  • Azure Outbound Response from Server Filesharing Port to Malicious IP Address

D9.AZU.512.25639

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR Azure All Rules

D9.AZU.512.67901

Low

Azure Outbound Response from Server Remote Access Port to Malicious IP Address

Modification

  • Name

  • Azure Outbound Response from internal server remote access port to a malicious IP

  • Azure Outbound Response from Server Remote Access Port to Malicious IP Address

D9.AZU.512.67901

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR Azure All Rules

D9.AZU.512.42349

Low

Azure Outbound Traffic to Compromised Server

Modification

  • Name

  • Outbound Traffic to a Compromised Server

  • Azure Outbound Traffic to Compromised Server

D9.AZU.512.42349

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • CloudGuard CDR Azure All Rules

D9.AZU.512.86161

Informational

Azure Outbound Traffic to Malicious IP Addresses

Modification

  • Name

  • Azure General Outbound Traffic to a malicious IP

  • Azure Outbound Traffic to Malicious IP Addresses

D9.AZU.512.86161

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR Azure All Rules

D9.AWS.502.29977

Informational

CodeCommit GitPull Request

Modification

  • Logic

 

 

D9.AWS.502.29977

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Collection

  • CloudGuard CDR AWS All Rules

D9.AZU.512.93662

Informational

Azure Security Group Modification

Modification

  • Name

  • Security Group rule Modification

  • Azure Security Group Modification

D9.AZU.512.93662

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR Azure All Rules

D9.AZU.512.09562

High

Azure Outbound Traffic from VPC to Internet Destination using RDP

Modification

  • Name

  • Outbound Traffic From a VPC to an Internet Destination Using RDP

  • Azure Outbound Traffic from VPC to Internet Destination using RDP

D9.AZU.512.09562

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

  • CloudGuard CDR Azure All Rules

D9.AWS.502.28997

Informational

Discovery operation using multiple Describe or List APIs

Modification

  • Name

  • Logic

  • Discovery operation using multiple Describe / List APIs

  • Discovery operation using multiple Describe or List APIs

D9.AWS.502.28997

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Discovery

  • CloudGuard CDR AWS All Rules

D9.GCP.515.44354

High

GCP Inbound Accepted Traffic from Malicious IP Address

Modification

  • Name

  • Logic

  • Inbound Accepted Traffic From a Malicious IP Address

  • GCP Inbound Accepted Traffic from Malicious IP Address

D9.GCP.515.44354

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.AZU.101.02305

Critical

Azure Outbound Traffic to TOR Exit Node

Modification

  • Name

  • Outbound Traffic to Tor Exit Node

  • Azure Outbound Traffic to TOR Exit Node

D9.AZU.101.02305

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • CloudGuard CDR Azure All Rules

D9.AWS.502.49684

Medium

External DescribeVpcs Request

Modification

  • Logic

 

 

D9.AWS.502.49684

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Discovery

  • CloudGuard CDR AWS All Rules

D9.K8S.107.71929

High

Inbound Accepted Traffic to Kubernetes Cluster from Malicious IP Address

Modification

  • Name

  • Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address

  • Inbound Accepted Traffic to Kubernetes Cluster from Malicious IP Address

D9.K8S.107.71929

  • Kubernetes CloudGuard Best Practices

D9.GCP.515.45774

High

GCP Outbound Traffic from VPC to Internet Destination using RDP

Modification

  • Name

  • Outbound Traffic From VPC to Internet Destination Using RDP

  • GCP Outbound Traffic from VPC to Internet Destination using RDP

D9.GCP.515.45774

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.GCP.515.40828

Critical

GCP Outbound Traffic to Malicious IP Addresses

Modification

  • Name

  • Logic

  • Outbound Traffic to Malicious IP Addresses

  • GCP Outbound Traffic to Malicious IP Addresses

D9.GCP.515.40828

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.GCP.515.47515

Critical

GCP Outbound Traffic to TOR Exit Node

Modification

  • Name

  • Outbound Traffic to Tor Exit Node

  • GCP Outbound Traffic to TOR Exit Node

D9.GCP.515.47515

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.AWS.108.97652

Medium

K8S SSH Access to Nodes from Pods

Modification

  • Name

  • K8S SSH Access to Nodes From Pods

  • K8S SSH Access to Nodes from Pods

D9.AWS.108.97652

  • Kubernetes CloudGuard Best Practices

D9.AWS.100.57034

Critical

EC2 AMI is made public in AWS

Modification

  • Name

  • EC2 AMI is made public in AWS.

  • EC2 AMI is made public in AWS

D9.AWS.100.57034

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.K8S.522.86159

Critical

Outbound Kubernetes Traffic to Malicious IP Addresses

Modification

  • Name

  • Outbound Traffic to Malicious IP Addresses

  • Outbound Kubernetes Traffic to Malicious IP Addresses

D9.K8S.522.86159

  • Kubernetes CloudGuard Best Practices

D9.K8S.106.00673

High

Outbound Traffic to Internet Destination from DB Ports within Kubernetes Cluster

Modification

  • Name

  • Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination

  • Outbound Traffic to Internet Destination from DB Ports within Kubernetes Cluster

D9.K8S.106.00673

  • Kubernetes CloudGuard Best Practices

D9.K8S.522.83805

Medium

Outbound Traffic from Kubernetes Cluster to Internet Destination Using SSH

Modification

  • Name

  • Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH

  • Outbound Traffic from Kubernetes Cluster to Internet Destination Using SSH

D9.K8S.522.83805

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.49195

High

Brute-force Attack on an S3 Bucket

Modification

  • Logic

 

 

D9.AWS.108.49195

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR AWS All Rules

D9.K8S.522.02305

Critical

Outbound Traffic to TOR Exit Node from within Kubernetes Cluster

Modification

  • Name

  • Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster

  • Outbound Traffic to TOR Exit Node from within Kubernetes Cluster

D9.K8S.522.02305

  • Kubernetes CloudGuard Best Practices

D9.AWS.105.66271

Low

IAM Permissions Enumeration

Modification

  • Logic

 

 

D9.AWS.105.66271

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Discovery

  • CloudGuard CDR AWS All Rules

D9.AZU.512.14996

Informational

Function Created

Modification

  • Logic

 

 

D9.AZU.512.14996

  • Azure CloudGuard Cloud Asset Management

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Execution

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR Azure All Rules

D9.AWS.108.32796

Medium

Lambda DoS

Modification

  • Logic

 

 

D9.AWS.108.32796

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.107.92598

Medium

Lambda Layer Was Added From an External Account

Modification

  • Logic

 

 

D9.AWS.107.92598

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Serverless

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.102.25662

Medium

IAM Policy Allowing Privilege Escalation via EC2 Service

Modification

  • Logic

 

 

D9.AWS.102.25662

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.AZU.512.56100

Low

Large Number of Failed Logins to Azure

Modification

  • Logic

 

 

D9.AZU.512.56100

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • CloudGuard CDR Azure All Rules

D9.AWS.105.87086

Medium

Ping Sweep Activity

Modification

  • Logic

 

 

D9.AWS.105.87086

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • CloudGuard CDR AWS All Rules

D9.AWS.108.27256

Medium

Overly-Permissive Policy Attached to an SES Identity

Modification

  • Logic

 

 

D9.AWS.108.27256

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.AWS.108.42542

Low

Password Policy Change

Modification

  • Logic

 

 

D9.AWS.108.42542

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.AWS.108.88304

Medium

Overly-Permissive SQS Policy

Modification

  • Logic

 

 

D9.AWS.108.88304

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.GCP.515.48951

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

D9.GCP.515.48951

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.AWS.108.80248

Medium

Overly-Permissive Lambda Permission

Modification

  • Logic

 

 

D9.AWS.108.80248

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR AWS All Rules

D9.AWS.502.49424

Informational

Port Scanning from the Internet

Modification

  • Logic

 

 

D9.AWS.502.49424

  • AWS CloudGuard Network Security

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Discovery

  • CloudGuard CDR AWS All Rules

D9.AZU.512.17551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

D9.AZU.512.17551

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Discovery

  • CloudGuard CDR Azure All Rules

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

D9.AWS.105.7551

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

  • CloudGuard CDR AWS All Rules

D9.AWS.105.54069

High

Port Scan of Internal Asset From ECS

Modification

  • Logic

 

 

D9.AWS.105.54069

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Discovery

  • CloudGuard CDR AWS All Rules

D9.AWS.502.81184

Low

S3 Bucket Object Collection Pattern

Modification

  • Logic

 

 

D9.AWS.502.81184

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Collection

  • CloudGuard CDR AWS All Rules

D9.AWS.0.88439

High

RDS Instance Password Changed

Modification

  • Logic

 

 

D9.AWS.0.88439

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.108.93965

Low

S3 Objects Deleted

Modification

  • Name

  • S3 Object/s Deleted

  • S3 Objects Deleted

D9.AWS.108.93965

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.0.11261

Informational

Role Disassociated from Instance

Modification

  • Logic

 

 

D9.AWS.0.11261

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Account Activity

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.108.67850

High

RDS Instance Publicly Accessible

Modification

  • Logic

 

 

D9.AWS.108.67850

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.AWS.0.90316

Low

S3 Bucket Configurations Deleted

Modification

  • Logic

 

 

D9.AWS.0.90316

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.108.26846

Medium

S3 Bucket Versioning Suspended

Modification

  • Logic

 

 

D9.AWS.108.26846

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.104.18467

Low

Several Failed Logins Attempts Followed by a Successful Login to Your AWS Console

Modification

  • Logic

 

 

D9.AWS.104.18467

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • CloudGuard CDR AWS All Rules

D9.AWS.108.44333

Critical

Successful API Request Originated From a Tor Exit Node

Modification

  • Logic

 

 

D9.AWS.108.44333

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Execution

  • CloudGuard CDR AWS All Rules

D9.AWS.104.70939

Low

Successful Console Logins From More Than One User-Agent

Modification

  • Logic

 

 

D9.AWS.104.70939

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR AWS All Rules

D9.GCP.515.54560

Low

Suspicious DNS Packet Size

Modification

  • Logic

 

 

D9.GCP.515.54560

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.GCP.515.80600

Low

Suspicious DNS Packets Volume Per Session

Modification

  • Logic

 

 

D9.GCP.515.80600

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.GCP.515.61003

Low

Suspicious NTP Packet Size

Modification

  • Logic

 

 

D9.GCP.515.61003

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.AWS.107.09957

Low

Suspicious DNS Packet Size

Modification

  • Logic

 

 

D9.AWS.107.09957

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR AWS All Rules

D9.GCP.515.97764

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

D9.GCP.515.97764

  • GCP CloudGuard Network Traffic

  • CloudGuard CDR GCP All Rules

D9.AZU.512.23090

Critical

Unauthorized actions under tenant scope

Modification

  • Name

  • Unauthorized actions under tenant’s scope

  • Unauthorized actions under tenant scope

D9.AZU.512.23090

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

  • CloudGuard CDR Azure All Rules

D9.AWS.107.37118

Low

Suspicious DNS Packets Volume Per Session

Modification

  • Logic

 

 

D9.AWS.107.37118

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • CloudGuard CDR AWS All Rules

D9.AWS.108.25508

High

Suspicious StartSession Event Was Triggered

Modification

  • Logic

 

 

D9.AWS.108.25508

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • CloudGuard CDR AWS All Rules

D9.AWS.107.31878

Low

Suspicious NTP Packet Size

Modification

  • Logic

 

 

D9.AWS.107.31878

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AWS.103.40436

High

Temporary Credentials Created From Permanent User

Modification

  • Logic

 

 

D9.AWS.103.40436

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.AWS.108.63748

High

Unsecured Task Definition Created - hostPath

Modification

  • Logic

 

 

D9.AWS.108.63748

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • CloudGuard CDR AWS All Rules

D9.AWS.107.65125

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

D9.AWS.107.65125

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR AWS All Rules

D9.AZU.107.31878

Low

Suspicious NTP Packet Size

Modification

  • Logic

 

 

D9.AZU.107.31878

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure CloudGuard Best Practices

  • None

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Impact

  • CloudGuard CDR Azure All Rules

D9.AWS.108.54497

High

Unsecured Task Definition Created - Dangerous Capabilities

Modification

  • Logic

 

 

D9.AWS.108.54497

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

October 16 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AWS.502.75889

High

Crypto mining terms have been identified

Modification

  • Logic

 

 

D9.AWS.502.75889

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Impact

October 07 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AWS.103.87181

Medium

S3 Bucket Server Access Logs Disabled

New

 

 

 

D9.AWS.103.87181

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.105.25835

Informational

CloudFront Function Created

New

 

 

 

D9.AWS.105.25835

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Discovery

D9.AWS.100.57034

Critical

EC2 AMI is made public in AWS.

New

 

 

 

D9.AWS.100.57034

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • CloudGuard CDR AWS All Rules

D9.AZU.512.43406

High

Anomalous Login to the Microsoft Entra Connect Synchronization Account

Modification

  • Name

  • Anomalous Login to the Azure AD Connect Synchronization Account

  • Anomalous Login to the Microsoft Entra Connect Synchronization Account

D9.AZU.512.43406

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

  • Azure CloudGuard Best Practices

  • CloudGuard CDR Azure All Rules

September 30 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.56418

High

Exploiting elevated user access Administrator role

Modification

  • Name

  • EXPLOITING ELEVATED USER ACCESS ADMINISTRATOR ROLE

  • Exploiting elevated user access Administrator role

D9.AZU.512.56418

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

September 16 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.95565

High

Multitenant Access Configured for Azure App

Modification

  • Logic

 

 

D9.AZU.512.95565

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Collection

D9.AZU.512.93543

High

Admin Permissions Granted to AKS Cluster Service Account

Modification

  • Logic

 

 

D9.AZU.512.93543

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

September 05 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.63813

High

User Assigned as Subscription Owner

New

 

 

 

D9.AZU.512.63813

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

D9.AZU.512.95565

High

Multitenant Access Configured for Azure App

New

 

 

 

D9.AZU.512.95565

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Collection

D9.AZU.512.93543

High

Admin Permissions Granted to AKS Cluster Service Account

New

 

 

 

D9.AZU.512.93543

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

None

Medium

General Guard Duty Rule

Removal

 

 

 

None

  • AWS GuardDuty

August 11 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.56418

High

EXPLOITING ELEVATED USER ACCESS ADMINISTRATOR ROLE

Modification

  • Name

  • Exploiting elevated user access administrator role

  • EXPLOITING ELEVATED USER ACCESS ADMINISTRATOR ROLE

D9.AZU.512.56418

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

August 06 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.87013

High

Azure Firewall Rules Changed

New

 

 

 

D9.AZU.512.87013

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

D9.AZU.512.65751

Low

Azure Active Directory PowerShell Sign-In

New

 

 

 

D9.AZU.512.65751

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

D9.AWS.502.48632

High

S3 ACL Enumeration Attack

New

 

 

 

D9.AWS.502.48632

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Discovery

D9.AZU.512.59482

Low

Write Permissions Added to Service Principal

New

 

 

 

D9.AZU.512.59482

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Persistence

July 24 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.73899

Critical

Suspicious Automation Tool Detected

Modification

  • Logic

 

 

D9.AZU.512.73899

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

July 04 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.25639

Low

Azure Outbound Response from an internal server file sharing port to a malicious IP

Modification

  • Name

  • AZU Outbound Response from an internal server file sharing port to a malicious IP

  • Azure Outbound Response from an internal server file sharing port to a malicious IP

D9.AZU.512.25639

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.25894

Low

Azure Outbound Response from a Server DB port to a malicious IP

Modification

  • Name

  • AZU Outbound Response from a Server DB port to a malicious IP

  • Azure Outbound Response from a Server DB port to a malicious IP

D9.AZU.512.25894

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.64183

Critical

Azure Outbound communication from a Server DB port to a malicious IP

Modification

  • Name

  • AZU Outbound communication from a Server DB port to a malicious IP

  • Azure Outbound communication from a Server DB port to a malicious IP

D9.AZU.512.64183

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.42349

Low

Outbound Traffic to a Compromised Server

Modification

  • Logic

 

 

D9.AZU.512.42349

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

D9.AZU.512.86610

Critical

Azure Outbound communication from an internal server file sharing port to a malicious IP

Modification

  • Name

  • AZU Outbound communication from an internal server file sharing port to a malicious IP

  • Azure Outbound communication from an internal server file sharing port to a malicious IP

D9.AZU.512.86610

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.86161

Informational

Azure General Outbound Traffic to a malicious IP

Modification

  • Name

  • AZU General Outbound Traffic to a malicious IP

  • Azure General Outbound Traffic to a malicious IP

D9.AZU.512.86161

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.67901

Low

Azure Outbound Response from internal server remote access port to a malicious IP

Modification

  • Name

  • AZU Outbound Response from internal server remote access port to a malicious IP

  • Azure Outbound Response from internal server remote access port to a malicious IP

D9.AZU.512.67901

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.68557

Critical

Azure Outbound communication from internal server remote access port to a malicious IP

Modification

  • Name

  • AZU Outbound communication from internal server remote access port to a malicious IP

  • Azure Outbound communication from internal server remote access port to a malicious IP

D9.AZU.512.68557

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

June 24 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.78077

Informational

Azure Compute SSH Key pair Generated

New

 

 

 

D9.AZU.512.78077

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AZU.512.91020

Low

Azure File Share modified.

New

 

 

 

D9.AZU.512.91020

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure CloudGuard Best Practices

D9.AZU.512.86161

Informational

AZU General Outbound Traffic to a malicious IP

Modification

  • Logic

  • Severity

  • Critical

  • Informational

D9.AZU.512.86161

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.12198

Low

Azure Firewall Deleted

New

 

 

 

D9.AZU.512.12198

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

D9.AZU.512.51624

Informational

Azure Compute SSH Key pair deleted

New

 

 

 

D9.AZU.512.51624

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Impact

D9.AWS.502.82906

Informational

Outbound Response from a Server Network Port to a Malicious IP

Modification

  • Logic

  • Severity

  • Low

  • Informational

D9.AWS.502.82906

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AZU.512.21549

Critical

Azure Network Watcher was created or modified

New

 

 

 

D9.AZU.512.21549

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Discovery

D9.AWS.502.95086

Critical

Outbound Communication from a Server Remote Access Port to a Malicious IP

Modification

  • Logic

 

 

D9.AWS.502.95086

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AZU.512.47677

Low

Azure managed disks snapshots were modified.

New

 

 

 

D9.AZU.512.47677

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

D9.AZU.512.15433

Low

Azure Service Principal added

New

 

 

 

D9.AZU.512.15433

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AWS.502.62800

Medium

Outbound Response from a Server Remote Access Port to a Malicious IP

Modification

  • Logic

 

 

D9.AWS.502.62800

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.502.89983

Critical

Outbound Communication from a Server Network Port to a Malicious IP

Removal

 

 

 

D9.AWS.502.89983

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

June 18 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.73899

Critical

Suspicious Automation Tool Detected

New

 

 

 

D9.AZU.512.73899

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

D9.AZU.512.42349

Low

Outbound Traffic to a Compromised Server

New

 

 

 

D9.AZU.512.42349

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

June 17 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.86161

Critical

AZU General Outbound Traffic to a malicious IP

New

 

 

 

D9.AZU.512.86161

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.25894

Low

AZU Outbound Response from a Server DB port to a malicious IP

New

 

 

 

D9.AZU.512.25894

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.67901

Low

AZU Outbound Response from internal server remote access port to a malicious IP

New

 

 

 

D9.AZU.512.67901

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.25639

Low

AZU Outbound Response from an internal server file sharing port to a malicious IP

New

 

 

 

D9.AZU.512.25639

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.64183

Critical

AZU Outbound communication from a Server DB port to a malicious IP

New

 

 

 

D9.AZU.512.64183

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.86610

Critical

AZU Outbound communication from an internal server file sharing port to a malicious IP

New

 

 

 

D9.AZU.512.86610

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.512.68557

Critical

AZU Outbound communication from internal server remote access port to a malicious IP

New

 

 

 

D9.AZU.512.68557

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Exfiltration

D9.AWS.502.41540

Critical

Outbound Communication from a Server File-sharing Port to a Malicious IP

New

 

 

 

D9.AWS.502.41540

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.502.54494

Critical

Outbound Communication from a Server DB Port to a Malicious IP

New

 

 

 

D9.AWS.502.54494

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.502.89983

Critical

Outbound Communication from a Server Network Port to a Malicious IP

New

 

 

 

D9.AWS.502.89983

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.502.95086

Critical

Outbound Communication from a Server Remote Access Port to a Malicious IP

New

 

 

 

D9.AWS.502.95086

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.502.62800

Medium

Outbound Response from a Server Remote Access Port to a Malicious IP

New

 

 

 

D9.AWS.502.62800

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.502.86161

Low

Outbound Response from a Server File-sharing Port to a Malicious IP

New

 

 

 

D9.AWS.502.86161

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.502.82906

Low

Outbound Response from a Server Network Port to a Malicious IP

New

 

 

 

D9.AWS.502.82906

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

D9.AWS.105.7551

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.502.62133

Low

Outbound Response from a Server DB Port to a Malicious IP

New

 

 

 

D9.AWS.502.62133

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.107.86159

Critical

Outbound Traffic to Malicious IP Addresses

Removal

 

 

 

D9.AWS.107.86159

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Exfiltration

D9.AZU.107.86159

Critical

Outbound Traffic to Malicious IP Addresses

Removal

 

 

 

D9.AZU.107.86159

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure CloudGuard Best Practices

  • None

  • Azure MITRE ATT&CK â„¢ - Exfiltration

June 06 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.97932

Medium

A Microsoft Entra Custom Role Was Created with Owner Permissions

New

 

 

 

D9.AZU.512.97932

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AZU.512.38978

Informational

Admin permissions attached to a User

New

 

 

 

D9.AZU.512.38978

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AZU.512.23181

Informational

New User Created

New

 

 

 

D9.AZU.512.23181

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AZU.512.55860

Low

A Role Has Been Updated

New

 

 

 

D9.AZU.512.55860

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AZU.512.80236

Informational

Admin permissions attached to a Group

New

 

 

 

D9.AZU.512.80236

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AZU.512.60844

Low

An Azure custom role was created with permissions to Active Directory

New

 

 

 

D9.AZU.512.60844

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.64788

Low

An Azure custom role was created with full action permissions

New

 

 

 

D9.AZU.512.64788

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.39261

Informational

SQL database Transparent Data Encryption Modified

New

 

 

 

D9.AZU.512.39261

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Impact

D9.AZU.512.56218

Informational

Blob Versioning were Disabled

New

 

 

 

D9.AZU.512.56218

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure MITRE ATT&CK â„¢ - Execution

D9.AZU.512.94460

Medium

Company settings were modified

New

 

 

 

D9.AZU.512.94460

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AZU.512.47901

Informational

Network Security Groups were created or updated

New

 

 

 

D9.AZU.512.47901

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.84822

Low

Security info was changed

New

 

 

 

D9.AZU.512.84822

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.93662

Informational

Security Group rule Modification

New

 

 

 

D9.AZU.512.93662

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.46481

Informational

Network Security Groups were deleted

New

 

 

 

D9.AZU.512.46481

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.54312

Informational

User Added to a Group

New

 

 

 

D9.AZU.512.54312

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.21188

Informational

User Login Profile Updated

New

 

 

 

D9.AZU.512.21188

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Impact

D9.AZU.512.78321

Informational

Azure Virtual Network was Created or Modified.

New

 

 

 

D9.AZU.512.78321

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Persistence

D9.AZU.512.61204

Low

Azure Virtual Network Deleted.

New

 

 

 

D9.AZU.512.61204

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Persistence

May 27 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.84822

Low

Security info was changed

New

 

 

 

D9.AZU.512.84822

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.21983

Low

Security info Deleted

New

 

 

 

D9.AZU.512.21983

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.37384

Medium

User cancelled security info registration

New

 

 

 

D9.AZU.512.37384

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.20609

High

Admin deleted security info

New

 

 

 

D9.AZU.512.20609

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Credential Access

D9.AZU.512.85015

Medium

Admin updated security info

New

 

 

 

D9.AZU.512.85015

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Credential Access

May 26 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.52853

Low

Create or Update Virtual Network Subnet

New

 

 

 

D9.AZU.512.52853

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Discovery

D9.AZU.512.82136

High

Auto Scale Instance Disabled

New

 

 

 

D9.AZU.512.82136

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.AZU.512.77122

Low

Azure File Share deleted

New

 

 

 

D9.AZU.512.77122

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.AZU.512.13719

Medium

AKS Cluster Deleted

New

 

 

 

D9.AZU.512.13719

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.AZU.512.99000

Medium

Create or Update Virtual Machine

New

 

 

 

D9.AZU.512.99000

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure MITRE ATT&CK â„¢ - Collection

  • Azure CloudGuard Best Practices

D9.AZU.512.31736

Low

NAT Gateway Created or Updates

New

 

 

 

D9.AZU.512.31736

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure CloudGuard Best Practices

D9.AZU.512.50301

High

Network Firewall Diagnostic Setting Modified

New

 

 

 

D9.AZU.512.50301

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure MITRE ATT&CK â„¢ - Discovery

D9.AZU.512.50341

Low

A Container App Instance Has Been Updated

New

 

 

 

D9.AZU.512.50341

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure MITRE ATT&CK â„¢ - Execution

May 21 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.60724

Critical

Conditional Access Policy Deletion

New

 

 

 

D9.AZU.512.60724

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

D9.AZU.512.16512

Medium

Conditional Access Policy Modification

New

 

 

 

D9.AZU.512.16512

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

April 18 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.21827

High

Azure SUPERMAN Login

Modification

  • Logic

 

 

D9.AZU.512.21827

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Credential Access

April 02 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.AZU.512.15964

Critical

Active Directory high-privileged role assigned to non-user entity

New

 

 

 

D9.AZU.512.15964

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.96515

High

Elevated Azure Graph API permissions granted

New

 

 

 

D9.AZU.512.96515

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

D9.AZU.512.23090

Critical

Unauthorized actions under tenant’s scope

New

 

 

 

D9.AZU.512.23090

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

D9.AZU.512.56418

High

Exploiting elevated user access administrator role

New

 

 

 

D9.AZU.512.56418

  • Azure CloudGuard Best Practices

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Lateral Movement

February 14 2024

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

GSL ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Rule ID

Affected Rulesets

D9.K8S.522.83805

Medium

Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH

Modification

  • Logic

  • Severity

  • Informational

  • Medium

D9.K8S.522.83805

  • Kubernetes CloudGuard Best Practices

D9.K8S.522.44344

Medium

Outbound Traffic to a Compromised Server From a Kubernetes Cluster

Modification

  • Logic

  • Severity

  • Low

  • Medium

D9.K8S.522.44344

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.75279

Informational

EKS Cluster Deleted

Removal

 

 

 

D9.AWS.108.75279

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.02076

Medium

Lack of Service Account Usage in Kubernetes Node

Removal

 

 

 

D9.AWS.108.02076

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.12930

Low

EKS Cluster Control Plane Logs Disabled

Removal

 

 

 

D9.AWS.108.12930

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.88809

Informational

Fargate Profile Created For Cluster

Removal

 

 

 

D9.AWS.108.88809

  • Kubernetes CloudGuard Best Practices

July 03 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.108.30061

Medium

Shared EBS Snapshot Was Copied by another AWS Account

Modification

  • Name

  • Severity

  • Shared EBS Snapshot Was Copied by an External Account

  • High

  • Shared EBS Snapshot Was Copied by another AWS Account

  • Medium

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

June 18 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.103.02144

Low

Abuse of unsuccessful AssumeRole

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS CloudGuard Best Practices

May 28 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.502.28997

Informational

Discovery operation using multiple Describe / List APIs

Modification

  • Name

  • Logic

  • Severity

  • Multiple Describe APIs Detected

  • Medium

  • Discovery operation using multiple Describe / List APIs

  • Informational

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

April 23 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.502.82498

High

Access key used from multiple IPs

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

March 30 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.502.77808

Medium

MFA failed attempts

Modification

  • Logic

 

 

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Credential Access

D9.AWS.502.81184

Low

S3 Bucket Object Collection Pattern

Modification

  • Severity

  • High

  • Low

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Collection

March 29 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.0.75748

Informational

The trust policy of a role was modified to allow third party access

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.502.29977

Informational

CodeCommit GitPull Request

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.502.77808

Medium

MFA failed attempts

New

 

 

 

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Credential Access

D9.AWS.502.93892

High

Malicious Source Address Detected in SES or SNS

New

 

 

 

  • AWS CloudGuard Best Practices

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.502.81184

High

S3 Bucket Object Collection Pattern

New

 

 

 

  • AWS CloudGuard Best Practices

  • AWS MITRE ATT&CK â„¢ - Collection

March 20 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.502.49684

Medium

External DescribeVpcs Request

New

 

 

 

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.502.28997

Medium

Multiple Describe APIs Detected

New

 

 

 

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

March 05 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.502.24751

Informational

Account Password Policy Discovery

New

 

 

 

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AZU.512.86212

Informational

Attach Role to Key Vault

New

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AZU.512.78826

Informational

Failed Login Attempts to Your AZURE Console Using an Invalid Username or Password

New

 

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AWS.101.50079

Informational

Security Group Modification

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AZU.512.55123

Low

Storage account key regenerate

New

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Collection

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AWS.502.35659

Critical

VPC Traffic Mirroring Session Created

New

 

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

February 19 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.0.89909

Informational

GuardDuty Disabled

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Best Practices

D9.AWS.502.94981

High

A Command Was Sent to All Managed Instances

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Best Practices

D9.AWS.108.02681

Low

A Container Has Been Stopped Due to Absence of an Attached Foreground Process

Modification

  • Logic

 

 

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

D9.AWS.108.98942

Low

A Container Has Been Stopped Due to SIGKILL

Modification

  • Logic

 

 

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

D9.AWS.108.93156

Low

A Container Has Been Stopped Due to SIGSEGV

Modification

  • Logic

 

 

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

D9.AWS.108.51231

Low

A Container Has Been Stopped Due to SIGTERM

Modification

  • Logic

 

 

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

D9.AWS.108.84400

Low

A Container Has Been Stopped Due to Application Error or Incorrect Reference

Modification

  • Logic

 

 

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

D9.AWS.0.84417

Low

A New Overly-Permissive Policy Was Set to Default

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.502.54053

Informational

Abuse of Role Credentials

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

D9.ALI.702.19961

Low

Abuse of Unsuccessful AssumeRole

Modification

  • Logic

 

 

  • Alibaba CloudGuard Best Practices

D9.AWS.103.02144

Low

Abuse of unsuccessful AssumeRole

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AZU.512.02147

Low

Abuse of unsuccessful Role assignments

New

 

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure CloudGuard Best Practices

D9.AWS.102.06565

Medium

Administrator Permissions Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.0.74281

Low

Administrator Permissions Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.102.06361

Low

AdministratorAccess Permissions Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.0.49438

Low

AdministratorAccess Permissions Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.ALI.702.06360

Low

AdministratorAccess Permissions were attached to a Role

Modification

  • Logic

 

 

  • Alibaba CloudGuard Best Practices

D9.AWS.0.56594

Medium

Policy Containing All Resources Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Best Practices

D9.AWS.0.44855

Medium

Policy Containing All Resources Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Best Practices

D9.AWS.502.23667

High

IAM Policy Allowing Privilege Escalation via SSM Service

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.0.23097

Low

An Existing IAM Policy Version Was Set to Default

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.108.95360

Informational

An Image Was Pushed to a Repository

Modification

  • Logic

 

 

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

D9.AWS.108.69243

Critical

An S3 object is Publicly Accessible

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AZU.512.40041

Low

Azure App Role Assigned to Service Principals/Users/Groups

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure CloudGuard Best Practices

D9.AWS.0.86206

Informational

Attach Role to Instance

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS CloudGuard Account Activity

D9.AZU.512.86207

Informational

Attach Role to Virtual machine

New

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AWS.0.17234

Informational

Attachment of User/Group/Role Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Account Activity

D9.AZU.512.21827

High

Azure SUPERMAN Login

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure CloudGuard Best Practices

D9.AZU.512.06380

Medium

Same User Login Attempt From Multiple Sources in a Short Period

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AWS.108.49195

High

Brute-force Attack on an S3 Bucket

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.0.71403

Medium

A Policy with IAM CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.802.0

Informational

Ciem Trigger Event

Modification

  • Logic

 

 

  • None

D9.AWS.502.75889

High

Crypto mining terms have been identified

Modification

  • Logic

 

 

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.502.73254

Low

EC2 created in multiple regions

Modification

  • Logic

 

 

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.104.78825

Informational

Failed Login Attempts to Your AWS Console Using an Invalid Username

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

D9.AWS.107.02069

Medium

FullAccess Permissions Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.0.87124

Medium

FullAccess Permissions Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.107.94125

Medium

Wide-Permissions Policy Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.502.83517

Medium

Wide-Permissions Policy Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AZU.512.37886

Low

Function Bindings Modified

Modification

  • Logic

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AWS.105.66271

Low

IAM Permissions Enumeration

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.108.33582

High

Image Scanning Disabled For Repository

Modification

  • Logic

 

 

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Best Practices

D9.AZU.107.71929

High

Inbound Accepted Traffic From a Malicious IP Address

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.GCP.515.44354

High

Inbound Accepted Traffic From a Malicious IP Address

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.K8S.107.71929

High

Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.107.1929

High

Inbound Accepted Traffic From a Malicious IP Address

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AZU.105.14069

Low

Internal Rejected Traffic

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure CloudGuard Best Practices

D9.AWS.105.14069

Low

Internal Rejected Traffic

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.108.97652

Medium

K8S SSH Access to Nodes From Pods

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AZU.512.17236

Informational

Key Vault has been created

New

 

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure CloudGuard Best Practices

D9.AZU.512.56100

Low

Large Number of Failed Logins to Azure

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AWS.104.31471

Low

Large Number of Failed Logins to AWS console

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

D9.ALI.702.16860

High

Login Attempt to Alibaba console From a Malicious IP Address

Modification

  • Logic

 

 

  • Alibaba CloudGuard Best Practices

D9.AZU.512.51420

Low

Azure Login Attempt With 2 Different User-Agents in a Short Time

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AWS.104.70939

Low

Successful Console Logins From More Than One User-Agent

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

D9.AWS.108.32872

Informational

Multiple New Instances Launched in a Short Period by a Specific User

Modification

  • Logic

 

 

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.K8S.106.00673

High

Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.106.00673

High

Outbound Traffic From DB Ports to Internet Destination

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

D9.AWS.107.22364

High

Outbound Traffic From VPC to Internet Destination Using SMB

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.GCP.515.45774

High

Outbound Traffic From VPC to Internet Destination Using RDP

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.AWS.107.09562

High

Outbound Traffic From VPC to Internet Destination Using RDP

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.AWS.108.98731

Low

Outbound Traffic Suspected as Cryptomining Activity

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.GCP.515.47515

Critical

Outbound Traffic to Tor Exit Node

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.AWS.107.02305

Critical

Outbound Traffic to Tor Exit Node

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AZU.107.86159

Critical

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.GCP.515.40828

Critical

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.K8S.522.86159

Critical

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.107.86159

Critical

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.0.90746

High

Public S3 Bucket, Overly-Permissive Access Point Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.0.58711

High

Public S3 Bucket, Overly-Permissive Bucket Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.107.54705

Medium

Overly-Permissive IAM Policy Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.107.91925

Medium

Overly-Permissive IAM Policy Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.108.80248

Medium

Overly-Permissive Lambda Permission

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.102.42790

Medium

Overly-Permissive Trust Policy Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.108.27256

Medium

Overly-Permissive Policy Attached to an SES Identity

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

D9.AWS.502.35353

Medium

Overly-Permissive SNS Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

D9.AWS.108.88304

Medium

Overly-Permissive SQS Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

D9.AZU.512.40042

Low

Owner Added to a Group

New

 

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure CloudGuard Best Practices

D9.AZU.512.40043

Low

Owner Removed from a Group

New

 

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure CloudGuard Best Practices

D9.AWS.108.42542

Low

Password Policy Change

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

D9.AZU.512.55554

Informational

Permissions Modified For Blob

New

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Collection

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AZU.512.55555

Informational

Permissions Modified For Storage account

New

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Collection

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AZU.512.55553

Informational

Permissions Modified For Table

New

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Collection

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AWS.106.95525

Medium

Permissions Scanning Attempt

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.K8S.105.87085

Medium

Ping Sweep Activity From Within a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.105.87086

Medium

Ping Sweep Activity

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

D9.AWS.105.54069

High

Port Scan of Internal Asset From ECS

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.GCP.515.48951

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.K8S.105.17551

High

Port Scanning of an Internal Asset From a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.103.82628

Low

Privilege Escalation via Policy Version

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.0.88439

High

RDS Instance Password Changed

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

D9.AWS.108.67850

High

RDS Instance Publicly Accessible

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AZU.512.46487

Informational

Role Detached from Virtual machine

New

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AWS.104.44218

Medium

Same User Login Attempt From Multiple Sources in a Short Period

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

D9.AWS.104.92018

High

Same User Login From Multiple Locations

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS CloudGuard Best Practices

D9.AWS.101.50079

Informational

Security Group Modification

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.106.83555

High

Successful API Request Originated From a Suspicious User-Agent

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Best Practices

D9.AZU.512.85876

Critical

Successful API Request Originated From a Malicious IP Address

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.AWS.108.74210

Critical

Successful API Request Originated From a Malicious IP Address

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.502.10631

High

Suspicious Command Was Sent to a Managed Instance

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.09957

Low

Suspicious DNS Packet Size

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.GCP.515.54560

Low

Suspicious DNS Packet Size

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.GCP.515.80600

Low

Suspicious DNS Packets Volume Per Session

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.AWS.107.37118

Low

Suspicious DNS Packets Volume Per Session

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.GCP.515.61003

Low

Suspicious NTP Packet Size

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.AZU.107.31879

Low

Suspicious NTP Packet Size From a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.107.31878

Low

Suspicious NTP Packet Size

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AZU.107.65125

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.GCP.515.97764

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

  • GCP CloudGuard Network Traffic

D9.AWS.107.65125

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.K8S.522.65125

Low

Suspicious NTP Packets Volume From a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.25508

High

Suspicious StartSession Event Was Triggered

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.101.97471

Low

Suspicious Outbound Traffic to a Phishing Server

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.108.32378

High

Public S3 Bucket, Overly-Permissive ACL

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.108.10767

High

Unsecured PassRole Permission Was Applied to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.108.17277

High

Unsecured PassRole Permission Was Applied to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.108.29542

High

Unsecured Repository Created

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.108.83241

High

Unsecured Task Definition Created - Privileged Container

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.108.63748

High

Unsecured Task Definition Created - hostPath

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.108.85090

High

Unsecured Task Definition Created - Env Var and Command

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Best Practices

D9.AWS.502.56156

Informational

User Data has been modified

Modification

  • Logic

 

 

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

February 05 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.512.65556

Medium

Azure Admin Consent Was Launched

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.AWS.0.56594

Medium

Policy Containing All Resources Attached to a Role

Modification

  • Severity

  • Low

  • Medium

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Best Practices

D9.AWS.108.69243

Critical

An S3 object is Publicly Accessible

Modification

  • Severity

  • High

  • Critical

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AZU.512.40041

Low

Azure App Role Assigned to Service Principals/Users/Groups

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure CloudGuard Best Practices

D9.AZU.512.06380

Medium

Same User Login Attempt From Multiple Sources in a Short Period

Modification

  • Severity

  • High

  • Medium

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AZU.512.03312

Medium

Credentials Were Added to an Azure AD Application

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AZU.512.35494

Medium

Azure Credentials Were Added to an Azure AD Service Principal

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AWS.107.02069

Medium

FullAccess Permissions Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.0.87124

Medium

FullAccess Permissions Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.K8S.107.71929

High

Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.522.19248

Medium

K8S Pod Access to Metadata

Modification

  • Severity

  • Low

  • Medium

  • Kubernetes CloudGuard Best Practices

D9.AWS.502.82498

High

Access key used from multiple IPs

New

 

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

D9.K8S.522.44344

Low

Outbound Traffic to a Compromised Server From a Kubernetes Cluster

Modification

  • Severity

  • Medium

  • Low

  • Kubernetes CloudGuard Best Practices

D9.AZU.107.65125

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.AWS.103.15235

High

Suspicious EC2 Instance Without KeyPair Was Launched

Removal

 

 

 

  • AWS CloudGuard Key Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

January 22 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.0.84417

Low

A New Overly-Permissive Policy Was Set to Default

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.103.02144

Low

Abuse of unsuccessful AssumeRole

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.0.56594

Low

Policy Containing All Resources Attached to a Role

Modification

  • Logic

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Best Practices

D9.AWS.0.44855

Medium

Policy Containing All Resources Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Best Practices

D9.AWS.108.69243

High

An S3 object is Publicly Accessible

Modification

  • Name

  • Logic

  • Severity

  • An S3 object is Public Accessible

  • Critical

  • An S3 object is Publicly Accessible

  • High

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.107.02069

Medium

FullAccess Permissions Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.0.87124

Medium

FullAccess Permissions Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.107.94125

Medium

Wide-Permissions Policy Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.502.83517

Medium

Wide-Permissions Policy Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.103.07409

Low

Lambda Function Code Was Updated by an Entity Which Assumed a Role

Modification

  • Name

  • Lambda Function Code Was Updated by an Enitity Which Assumed a Role

  • Lambda Function Code Was Updated by an Entity Which Assumed a Role

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.0.90746

High

Public S3 Bucket, Overly-Permissive Access Point Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.0.58711

High

Public S3 Bucket, Overly-Permissive Bucket Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.107.54705

Medium

Overly-Permissive IAM Policy Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.107.91925

Medium

Overly-Permissive IAM Policy Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.108.80248

Medium

Overly-Permissive Lambda Permission

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.102.42790

Medium

Overly-Permissive Trust Policy Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.108.27256

Medium

Overly-Permissive Policy Attached to an SES Identity

Modification

  • Name

  • Logic

  • Overly-Permissive Policy Attached to an SES Idnetity

  • Overly-Permissive Policy Attached to an SES Identity

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

D9.AWS.108.88304

Medium

Overly-Permissive SQS Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

D9.AWS.502.49424

Informational

Port Scanning from the Internet

New

 

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.108.32378

High

Public S3 Bucket, Overly-Permissive ACL

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.108.17277

High

Unsecured PassRole Permission Was Applied to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

January 16 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.108.37464

Low

A Task on ECS Has Stopped Unexpectedly

Modification

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Impact

D9.ALI.702.19961

Low

Abuse of Unsuccessful AssumeRole

Modification

  • Severity

  • Medium

  • Low

  • Alibaba CloudGuard Best Practices

D9.AWS.103.02144

Low

Abuse of unsuccessful AssumeRole

Modification

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.102.06361

Low

AdministratorAccess Permissions Attached to a Role

Modification

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.ALI.702.06360

Low

AdministratorAccess Permissions were attached to a Role

Modification

  • Severity

  • Medium

  • Low

  • Alibaba CloudGuard Best Practices

D9.AWS.108.95360

Informational

An Image Was Pushed to a Repository

Modification

  • Severity

  • Low

  • Informational

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

D9.AWS.108.69243

Critical

An S3 object is Public Accessible

Modification

  • Severity

  • High

  • Critical

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AZU.512.40041

Low

Azure App Role Assigned to Service Principals/Users/Groups

Modification

  • Severity

  • Medium

  • Low

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Persistence

  • Azure MITRE ATT&CK â„¢ - Privilege Escalation

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure CloudGuard Best Practices

D9.AZU.512.06380

High

Same User Login Attempt From Multiple Sources in a Short Period

Modification

  • Severity

  • Medium

  • High

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AZU.512.46271

Informational

Blob Deleted

Modification

  • Severity

  • Low

  • Informational

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AWS.0.86971

Informational

CloudWatch Log Group Created

Modification

  • Severity

  • Low

  • Informational

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Account Activity

D9.AWS.108.39020

Low

VPC Deleted

Modification

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Network Security

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

D9.AWS.108.36215

Critical

EBS Snapshot Permission Modified to Public Access

Modification

  • Severity

  • Medium

  • Critical

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.108.30061

High

Shared EBS Snapshot Was Copied by an External Account

Modification

  • Severity

  • Low

  • High

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.104.78825

Informational

Failed Login Attempts to Your AWS Console Using an Invalid Username

Modification

  • Severity

  • Low

  • Informational

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

D9.AWS.0.87124

Medium

FullAccess Permissions Attached to a User

Modification

  • Severity

  • Low

  • Medium

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AZU.512.81115

Low

Function App Host Master Key Modified

Modification

  • Severity

  • Medium

  • Low

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Key Management

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure MITRE ATT&CK â„¢ - Execution

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AWS.108.12930

Low

EKS Cluster Control Plane Logs Disabled

Modification

  • Severity

  • Medium

  • Low

  • Kubernetes CloudGuard Best Practices

D9.AWS.104.18467

Low

Several Failed Logins Attempts Followed by a Successful Login to Your AWS Console

Modification

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

D9.AWS.108.92844

High

Login Attempt to AWS Console From a Malicious IP Address

Modification

  • Severity

  • Critical

  • High

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

D9.ALI.702.16860

High

Login Attempt to Alibaba console From a Malicious IP Address

Modification

  • Severity

  • Critical

  • High

  • Alibaba CloudGuard Best Practices

D9.AZU.512.69098

High

Login Attempt to Azure From a Malicious IP Address

Modification

  • Severity

  • Critical

  • High

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.AWS.108.48576

Low

Modification Subnet Attributes

Modification

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Network Security

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.K8S.106.00673

High

Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination

Modification

  • Severity

  • Medium

  • High

  • Kubernetes CloudGuard Best Practices

D9.AWS.106.00673

High

Outbound Traffic From DB Ports to Internet Destination

Modification

  • Severity

  • Low

  • High

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

D9.AWS.107.22364

High

Outbound Traffic From VPC to Internet Destination Using SMB

Modification

  • Severity

  • Low

  • High

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AZU.512.09562

High

Outbound Traffic From a VPC to an Internet Destination Using RDP

Modification

  • Severity

  • Medium

  • High

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.GCP.515.45774

High

Outbound Traffic From VPC to Internet Destination Using RDP

Modification

  • Severity

  • Informational

  • High

  • GCP CloudGuard Network Traffic

D9.AWS.107.09562

High

Outbound Traffic From VPC to Internet Destination Using RDP

Modification

  • Severity

  • Informational

  • High

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.AZU.101.02305

Critical

Outbound Traffic to Tor Exit Node

Modification

  • Severity

  • High

  • Critical

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.GCP.515.47515

Critical

Outbound Traffic to Tor Exit Node

Modification

  • Severity

  • High

  • Critical

  • GCP CloudGuard Network Traffic

D9.K8S.522.02305

Critical

Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster

Modification

  • Severity

  • Medium

  • Critical

  • Kubernetes CloudGuard Best Practices

D9.AWS.107.02305

Critical

Outbound Traffic to Tor Exit Node

Modification

  • Severity

  • High

  • Critical

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.04785

High

Suspicious Outbound Traffic to a Suspected CnC Server

Modification

  • Severity

  • Medium

  • High

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AZU.107.86159

Critical

Outbound Traffic to Malicious IP Addresses

Modification

  • Severity

  • High

  • Critical

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.GCP.515.40828

Critical

Outbound Traffic to Malicious IP Addresses

Modification

  • Severity

  • High

  • Critical

  • GCP CloudGuard Network Traffic

D9.K8S.522.86159

Critical

Outbound Traffic to Malicious IP Addresses

Modification

  • Severity

  • High

  • Critical

  • Kubernetes CloudGuard Best Practices

D9.AWS.107.86159

Critical

Outbound Traffic to Malicious IP Addresses

Modification

  • Severity

  • High

  • Critical

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.102.42790

Medium

Overly-Permissive Trust Policy Attached to a Role

Modification

  • Severity

  • High

  • Medium

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Best Practices

D9.AWS.108.42542

Low

Password Policy Change

Modification

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

D9.AWS.108.67850

High

RDS Instance Publicly Accessible

Modification

  • Severity

  • Medium

  • High

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.108.48158

Low

S3 Bucket Deleted

Modification

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.106.91932

High

Series of Enumeration API Calls Executed in Several Regions

Modification

  • Severity

  • Medium

  • High

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

D9.AWS.108.25508

High

Suspicious StartSession Event Was Triggered

Modification

  • Severity

  • Critical

  • High

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

January 15 2023

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.512.21827

High

Azure SUPERMAN Login

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure CloudGuard Best Practices

D9.AZU.512.06380

Medium

Same User Login Attempt From Multiple Sources in a Short Period

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AWS.522.19248

Low

K8S Pod Access to Metadata

Modification

  • Logic

  • Severity

  • High

  • Low

  • Kubernetes CloudGuard Best Practices

D9.K8S.522.83805

Informational

Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AZU.512.09562

Medium

Outbound Traffic From a VPC to an Internet Destination Using RDP

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.K8S.522.02305

Medium

Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster

Modification

  • Logic

  • Severity

  • High

  • Medium

  • Kubernetes CloudGuard Best Practices

D9.K8S.522.44344

Medium

Outbound Traffic to a Compromised Server From a Kubernetes Cluster

Modification

  • Logic

  • Severity

  • Low

  • Medium

  • Kubernetes CloudGuard Best Practices

D9.K8S.522.04785

Low

Suspicious Outbound Traffic to a CnC Server From a Kubernetes Cluster

Modification

  • Name

  • Logic

  • Suspicious Outbound Traffic as Backdoor to a CnC Server From a Kubernetes Cluster

  • Suspicious Outbound Traffic to a CnC Server From a Kubernetes Cluster

  • Kubernetes CloudGuard Best Practices

D9.K8S.522.86159

High

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AZU.512.17551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure CloudGuard Best Practices

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AZU.512.09957

Low

Suspicious DNS Packet Size

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.K8S.522.09957

Low

Suspicious DNS Packet Size From a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AZU.512.37118

Low

Suspicious DNS Packets Volume Per Session

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.K8S.522.37118

Low

Suspicious DNS Packets Volume From a Kubernetes Pod

Modification

  • Name

  • Logic

  • Suspicious DNS Packets Volume Per Session From a Kubernetes Pod

  • Suspicious DNS Packets Volume From a Kubernetes Pod

  • Kubernetes CloudGuard Best Practices

D9.AZU.107.65125

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.AZU.512.31179

Medium

Large Number of Failed Logins Followed by a Successful Login to Your Azure Account

Removal

 

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

December 25 2022

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.512.37886

Low

Function Bindings Modified

Modification

  • Logic

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AZU.512.51420

Low

Azure Login Attempt With 2 Different User-Agents in a Short Time

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AZU.101.02305

High

Outbound Traffic to Tor Exit Node

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AZU.107.31878

Low

Suspicious NTP Packet Size

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

December 11 2022

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.502.54053

Informational

Abuse of Role Credentials

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

D9.K8S.107.71929

High

Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.107.1929

High

Inbound Accepted Traffic From a Malicious IP Address

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AZU.512.56100

Low

Large Number of Failed Logins to Azure

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AWS.108.32872

Informational

Multiple New Instances Launched in a Short Period by a Specific User

Modification

  • Logic

  • Severity

  • Low

  • Informational

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.106.00673

Low

Outbound Traffic From DB Ports to Internet Destination

Modification

  • Logic

  • Severity

  • Medium

  • Low

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

D9.AWS.0.83805

Informational

Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AZU.105.17551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure CloudGuard Best Practices

D9.K8S.105.17551

High

Port Scanning of an Internal Asset From a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.101.50079

Informational

Security Group Modification

Modification

  • Logic

  • Severity

  • Medium

  • Informational

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS CloudGuard Best Practices

D9.AWS.101.97471

Low

Suspicious Outbound Traffic to a Phishing Server

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

November 28 2022

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.502.54053

Informational

Abuse of Role Credentials

New

 

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

D9.AWS.502.75889

High

Crypto mining terms have been identified

New

 

 

 

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.502.73254

Low

EC2 created in multiple regions

New

 

 

 

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AZU.107.71929

High

Inbound Accepted Traffic From a Malicious IP Address

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.AZU.512.56100

Low

Large Number of Failed Logins to Azure

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AZU.512.69098

Critical

Login Attempt to Azure From a Malicious IP Address

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.AZU.107.86159

High

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.AWS.502.35353

Medium

Overly-Permissive SNS Policy

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Cloud Asset Management

  • AWS CloudGuard Best Practices

D9.K8S.105.17551

High

Port Scanning of an Internal Asset From a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.K8S.522.65125

Low

Suspicious NTP Packets Volume From a Kubernetes Pod

Modification

  • Name

  • Logic

  • Suspicious NTP Packets Volume Per Session From a Kubernetes Pod

  • Suspicious NTP Packets Volume From a Kubernetes Pod

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.63748

High

Unsecured Task Definition Created - hostPath

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.108.85090

High

Unsecured Task Definition Created - Env Var and Command

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Best Practices

D9.AWS.502.56156

Informational

User Data has been modified

New

 

 

 

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.104.99097

High

Abuse of Access Token Generated by STS Dedicated For Lambda

Removal

 

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.104.50303

High

Abuse of Access Token Generated by STS Dedicated For EC2

Removal

 

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Best Practices

D9.AWS.108.40808

Critical

Abuse of Access Token Generated by STS Dedicated for ECS

Removal

 

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.108.55223

Critical

Abuse of Access Token Generated by STS Dedicated For Kubernetes Node Group

Removal

 

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.13381

Critical

Abuse of Access Token Generated by STS Dedicated For Kubernetes Pod

Removal

 

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AZU.512.87418

Low

Container Deleted

Removal

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AZU.512.80640

Informational

Container Created

Removal

 

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Collection

  • Azure MITRE ATT&CK â„¢ - Execution

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

November 13 2022

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.512.37886

Low

Function Bindings Modified

Modification

  • Logic

 

 

  • Azure CloudGuard Cloud Asset Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Serverless

  • Azure CloudGuard Best Practices

D9.AZU.107.71929

High

Inbound Accepted Traffic From a Malicious IP Address

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Impact

  • Azure CloudGuard Best Practices

D9.K8S.106.00673

Medium

Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AZU.107.86159

High

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

November 07 2022

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.105.14069

Low

Internal Rejected Traffic

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure CloudGuard Best Practices

D9.K8S.106.00673

Medium

Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AZU.107.09562

Medium

Outbound Traffic From a VPC to an Internet Destination Using RDP

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.AWS.107.86159

High

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.K8S.105.87085

Medium

Ping Sweep Activity From Within a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.105.87086

Medium

Ping Sweep Activity

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

November 06 2022

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AZU.105.14069

Low

Internal Rejected Traffic

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure CloudGuard Best Practices

D9.AWS.105.14069

Low

Internal Rejected Traffic

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.108.19248

High

K8S Pod Access to Metadata

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.97652

Medium

K8S SSH Access to Nodes From Pods

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.K8S.106.00673

Medium

Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.106.00673

Medium

Outbound Traffic From DB Ports to Internet Destination

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.AWS.107.22364

Low

Outbound Traffic From VPC to Internet Destination Using SMB

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.0.83805

Informational

Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AZU.107.09562

Medium

Outbound Traffic From a VPC to an Internet Destination Using RDP

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Exfiltration

  • Azure MITRE ATT&CK â„¢ - Command and Control

  • Azure CloudGuard Best Practices

D9.AWS.107.09562

Informational

Outbound Traffic From VPC to Internet Destination Using RDP

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.AWS.108.98731

Low

Outbound Traffic Suspected as Cryptomining Activity

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.02305

High

Outbound Traffic to Tor Exit Node

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.04785

Medium

Suspicious Outbound Traffic to a Suspected CnC Server

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.86159

High

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.K8S.105.87085

Medium

Ping Sweep Activity From Within a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.105.87086

Medium

Ping Sweep Activity

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

D9.AWS.105.54069

High

Port Scan of Internal Asset From ECS

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.105.17551

High

Port Scanning of an Internal Asset From a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.107.09957

Low

Suspicious DNS Packet Size

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.37118

Low

Suspicious DNS Packets Volume Per Session

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.31878

Low

Suspicious NTP Packet Size

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.65125

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.101.97471

Low

Suspicious Outbound Traffic to a Phishing Server

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.AWS.108.54497

High

Unsecured Task Definition Created - Dangerous Capabilities

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.AWS.108.64899

Medium

Unusual Exposed Ports on Instance

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices

D9.K8S.108.98731

Low

Outbound Traffic From a Kubernetes Cluster Suspected as Cryptomining Activity

Removal

 

 

 

  • Kubernetes CloudGuard Best Practices

October 30 2022

Note: This is the first RN, Include all changes from 11.09.2022 to 30.10.2022

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

Rule ID

Severity

Rule Name

Change Type

Updated Content

Before

After

Affected Rulesets

D9.AWS.0.89909

Informational

GuardDuty Disabled

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Best Practices

D9.AWS.0.22599

Low

GuardDuty Suspended

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Identity and Access Management

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Credential Access

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

  • AWS CloudGuard Best Practices

D9.AWS.102.06565

Medium

Administrator Permissions Attached to a Role

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.0.74281

Low

Administrator Permissions Attached to a User

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Persistence

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS CloudGuard Serverless

  • AWS CloudGuard Account Activity

  • AWS CloudGuard Best Practices

D9.AWS.105.66271

Low

IAM Permissions Enumeration

Modification

  • Logic

 

 

  • AWS CloudGuard Identity and Access Management

  • AWS MITRE ATT&CK â„¢ - Privilege Escalation

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AZU.105.14069

Low

Internal Rejected Traffic

Modification

  • Logic

 

 

  • Azure CloudGuard Network Security

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Discovery

  • Azure CloudGuard Best Practices

D9.AWS.105.14069

Low

Internal Rejected Traffic

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.AWS.108.19248

High

K8S Pod Access to Metadata

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.108.97652

Medium

K8S SSH Access to Nodes From Pods

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.ALI.702.16860

Critical

Login Attempt to Alibaba console From a Malicious IP Address

Modification

  • Name

  • Login Attempt to AWS console From a Malicious IP Address

  • Login Attempt to Alibaba console From a Malicious IP Address

  • Alibaba CloudGuard Best Practices

D9.K8S.106.00673

Medium

Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.106.00673

Medium

Outbound Traffic From DB Ports to Internet Destination

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.AWS.107.22364

Low

Outbound Traffic From VPC to Internet Destination Using SMB

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.0.83805

Informational

Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.107.09562

Informational

Outbound Traffic From VPC to Internet Destination Using RDP

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.AWS.108.98731

Low

Outbound Traffic Suspected as Cryptomining Activity

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.02305

High

Outbound Traffic to Tor Exit Node

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.04785

Medium

Suspicious Outbound Traffic to a Suspected CnC Server

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.86159

High

Outbound Traffic to Malicious IP Addresses

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.K8S.105.87085

Medium

Ping Sweep Activity From Within a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.105.87086

Medium

Ping Sweep Activity

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

D9.AWS.105.54069

High

Port Scan of Internal Asset From ECS

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.105.17551

High

Port Scanning of an Internal Asset From a Kubernetes Pod

Modification

  • Logic

 

 

  • Kubernetes CloudGuard Best Practices

D9.AWS.105.7551

High

Port Scanning of an Internal Asset

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS CloudGuard Best Practices

D9.GCP.514.992293

Informational

Project IAM Policy Updated

Modification

  • Logic

 

 

  • GCP CloudGuard Account Activity

D9.GCP.514.62109

Informational

Service Account IAM Policy Updated

Modification

  • Logic

 

 

  • GCP CloudGuard Account Activity

D9.AZU.512.41592

Low

Successful Login Without MFA

Modification

  • Logic

 

 

  • Azure CloudGuard Identity and Access Management

  • Azure CloudGuard Vulnerability and Threat Management

  • Azure MITRE ATT&CK â„¢ - Initial Access

  • Azure MITRE ATT&CK â„¢ - Defense Evasion

  • Azure MITRE ATT&CK â„¢ - Credential Access

  • Azure CloudGuard Best Practices

D9.AWS.107.09957

Low

Suspicious DNS Packet Size

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.37118

Low

Suspicious DNS Packets Volume Per Session

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.108.44909

High

Suspicious ECS Task Has Been Executed

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS MITRE ATT&CK â„¢ - Execution

D9.AWS.107.31878

Low

Suspicious NTP Packet Size

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.107.65125

Low

Suspicious NTP Packets Volume Per Session

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Discovery

  • AWS MITRE ATT&CK â„¢ - Command and Control

  • AWS CloudGuard Best Practices

D9.AWS.101.97471

Low

Suspicious Outbound Traffic to a Phishing Server

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Command and Control

D9.AWS.108.83241

High

Unsecured Task Definition Created - Privileged Container

Modification

  • Logic

 

 

  • AWS CloudGuard Vulnerability and Threat Management

  • AWS CloudGuard Cloud Asset Management

  • AWS MITRE ATT&CK â„¢ - Initial Access

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Serverless

  • AWS CloudGuard Best Practices

D9.AWS.108.64899

Medium

Unusual Exposed Ports on Instance

Modification

  • Logic

 

 

  • AWS CloudGuard Network Security

  • AWS MITRE ATT&CK â„¢ - Defense Evasion

  • AWS MITRE ATT&CK â„¢ - Collection

  • AWS MITRE ATT&CK â„¢ - Exfiltration

  • AWS MITRE ATT&CK â„¢ - Impact

  • AWS CloudGuard Best Practices