1 November 11 2024
2 November 04 2024
3 October 16 2024
4 October 07 2024
5 September 30 2024
6 September 16 2024
7 September 05 2024
8 August 11 2024
9 August 06 2024
10 July 24 2024
11 July 04 2024
12 June 24 2024
13 June 18 2024
14 June 17 2024
15 June 06 2024
16 May 27 2024
17 May 26 2024
18 May 21 2024
19 April 18 2024
20 April 02 2024
21 February 14 2024
22 July 03 2023
23 June 18 2023
24 May 28 2023
25 April 23 2023
26 March 30 2023
27 March 29 2023
28 March 20 2023
29 March 05 2023
30 February 19 2023
31 February 05 2023
32 January 22 2023
33 January 16 2023
34 January 15 2023
35 December 25 2022
36 December 11 2022
37 November 28 2022
38 November 13 2022
39 November 07 2022
40 November 06 2022
41 October 30 2022

November 11 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AWS.502.75889	High	Crypto mining terms have been identified	Modification	Logic			D9.AWS.502.75889	None None None

November 04 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AWS.106.00673	High	AWS Outbound Traffic from DB Ports to Internet Destination	Modification	Name Logic	Outbound Traffic From DB Ports to Internet Destination	AWS Outbound Traffic from DB Ports to Internet Destination	D9.AWS.106.00673	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration CloudGuard CDR AWS All Rules
D9.AWS.502.62800	Medium	AWS Outbound Response from Server Remote Access Port to Malicious IP Address	Modification	Name Logic	Outbound Response from a Server Remote Access Port to a Malicious IP	AWS Outbound Response from Server Remote Access Port to Malicious IP Address	D9.AWS.502.62800	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices CloudGuard CDR AWS All Rules
D9.AWS.502.54494	Critical	AWS Outbound Communication from Server DB Port to Malicious IP Address	Modification	Name Logic	Outbound Communication from a Server DB Port to a Malicious IP	AWS Outbound Communication from Server DB Port to Malicious IP Address	D9.AWS.502.54494	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices CloudGuard CDR AWS All Rules
D9.AWS.502.41540	Critical	AWS Outbound Communication from Server Filesharing Port to Malicious IP Address	Modification	Name Logic	Outbound Communication from a Server File-sharing Port to a Malicious IP	AWS Outbound Communication from Server Filesharing Port to Malicious IP Address	D9.AWS.502.41540	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices CloudGuard CDR AWS All Rules
D9.AWS.502.95086	Critical	AWS Outbound Communication from Server Remote Access Port to Malicious IP Address	Modification	Name Logic	Outbound Communication from a Server Remote Access Port to a Malicious IP	AWS Outbound Communication from Server Remote Access Port to Malicious IP Address	D9.AWS.502.95086	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices CloudGuard CDR AWS All Rules
D9.AWS.502.62133	Low	AWS Outbound Response from Server DB Port to Malicious IP Address	Modification	Name Logic	Outbound Response from a Server DB Port to a Malicious IP	AWS Outbound Response from Server DB Port to Malicious IP Address	D9.AWS.502.62133	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices CloudGuard CDR AWS All Rules
D9.AWS.502.82906	Informational	AWS Outbound Response from Server Network Port to Malicious IP Address	Modification	Name	Outbound Response from a Server Network Port to a Malicious IP	AWS Outbound Response from Server Network Port to Malicious IP Address	D9.AWS.502.82906	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices CloudGuard CDR AWS All Rules
D9.AWS.502.86161	Low	AWS Outbound Response from Server Filesharing Port to Malicious IP Address	Modification	Name Logic	Outbound Response from a Server File-sharing Port to a Malicious IP	AWS Outbound Response from Server Filesharing Port to Malicious IP Address	D9.AWS.502.86161	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices CloudGuard CDR AWS All Rules
D9.AWS.107.1929	High	AWS Inbound Accepted Traffic from Malicious IP Address	Modification	Name Logic	Inbound Accepted Traffic From a Malicious IP Address	AWS Inbound Accepted Traffic from Malicious IP Address	D9.AWS.107.1929	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Command and Control CloudGuard CDR AWS All Rules
D9.AWS.108.98731	Low	AWS Outbound Traffic Suspected as Cryptomining Activity	Modification	Name	Outbound Traffic Suspected as Cryptomining Activity	AWS Outbound Traffic Suspected as Cryptomining Activity	D9.AWS.108.98731	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Exfiltration CloudGuard CDR AWS All Rules
D9.AWS.107.09562	High	AWS Outbound Traffic from VPC to Internet Destination using RDP	Modification	Name Logic	Outbound Traffic From VPC to Internet Destination Using RDP	AWS Outbound Traffic from VPC to Internet Destination using RDP	D9.AWS.107.09562	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Lateral Movement CloudGuard CDR AWS All Rules
D9.AWS.107.22364	High	AWS Outbound Traffic from VPC to Internet Destination using SMB	Modification	Name Logic	Outbound Traffic From VPC to Internet Destination Using SMB	AWS Outbound Traffic from VPC to Internet Destination using SMB	D9.AWS.107.22364	AWS CloudGuard Network Security AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Lateral Movement CloudGuard CDR AWS All Rules
D9.AWS.107.44344	Low	AWS Outbound Traffic to Compromised Server	Modification	Name	Outbound Traffic to a Compromised Server	AWS Outbound Traffic to Compromised Server	D9.AWS.107.44344	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access CloudGuard CDR AWS All Rules
D9.ALI.702.19961	Low	Abuse of Unsuccessful AssumeRole	Modification	Logic			D9.ALI.702.19961	Alibaba CloudGuard Best Practices CloudGuard CDR Alibaba All Rules
D9.AWS.107.02305	Critical	AWS Outbound Traffic to TOR Exit Node	Modification	Name	Outbound Traffic to Tor Exit Node	AWS Outbound Traffic to TOR Exit Node	D9.AWS.107.02305	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Command and Control CloudGuard CDR AWS All Rules
D9.AWS.107.04785	High	AWS Suspicious Outbound Traffic to Suspected CnC Server	Modification	Name	Suspicious Outbound Traffic to a Suspected CnC Server	AWS Suspicious Outbound Traffic to Suspected CnC Server	D9.AWS.107.04785	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Exfiltration CloudGuard CDR AWS All Rules
D9.AWS.101.50079	Informational	AWS Security Group Modification	Modification	Name	Security Group Modification	AWS Security Group Modification	D9.AWS.101.50079	AWS CloudGuard Network Security AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR AWS All Rules
D9.AWS.101.97471	Low	AWS Suspicious Outbound Traffic to Phishing Server	Modification	Name	Suspicious Outbound Traffic to a Phishing Server	AWS Suspicious Outbound Traffic to Phishing Server	D9.AWS.101.97471	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Exfiltration CloudGuard CDR AWS All Rules
D9.ALI.702.06360	Low	AdministratorAccess Permissions were attached to a Role	Modification	Logic			D9.ALI.702.06360	Alibaba CloudGuard Best Practices CloudGuard CDR Alibaba All Rules
D9.AWS.0.28676	Low	A User Was Added to an Admin Group	Modification	Logic			D9.AWS.0.28676	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Account Activity AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Persistence CloudGuard CDR AWS All Rules
D9.AWS.0.71403	Medium	A Policy with IAM CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity	Modification	Logic			D9.AWS.0.71403	AWS CloudGuard Identity and Access Management AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR AWS All Rules
D9.AWS.0.38420	Medium	A Policy With S3 CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity	Modification	Logic			D9.AWS.0.38420	AWS CloudGuard Identity and Access Management AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR AWS All Rules
D9.AZU.512.40041	Low	App Role Assigned to Service Principals or Users or Groups	Modification	Name	Azure App Role Assigned to Service Principals/Users/Groups	App Role Assigned to Service Principals or Users or Groups	D9.AZU.512.40041	Azure CloudGuard Identity and Access Management Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR Azure All Rules
D9.AZU.512.82136	High	Auto Scale Instance Disabled	Modification	Logic			D9.AZU.512.82136	Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices CloudGuard CDR Azure All Rules
D9.AZU.512.35494	Medium	Azure Credentials Were Added to an Azure AD Service Principal	Modification	Logic			D9.AZU.512.35494	Azure CloudGuard Identity and Access Management Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Credential Access CloudGuard CDR Azure All Rules
D9.AWS.0.23097	Low	An Existing IAM Policy Version Was Set to Default	Modification	Logic			D9.AWS.0.23097	AWS CloudGuard Identity and Access Management AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR AWS All Rules
D9.AWS.0.17234	Informational	Attachment of User or Group or Role Policy	Modification	Name	Attachment of User/Group/Role Policy	Attachment of User or Group or Role Policy	D9.AWS.0.17234	AWS CloudGuard Identity and Access Management AWS CloudGuard Account Activity AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR AWS All Rules
D9.AWS.0.35359	Medium	Access Key Status Changed to Active or Inactive	Modification	Name Logic	Access Key Status Changed to Active/Inactive	Access Key Status Changed to Active or Inactive	D9.AWS.0.35359	AWS CloudGuard Identity and Access Management AWS CloudGuard Key Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.102.06361	Low	AdministratorAccess Permissions Attached to a Role	Modification	Logic			D9.AWS.102.06361	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.AWS.104.71471	Low	Access Key Created	Modification	Logic			D9.AWS.104.71471	AWS CloudGuard Identity and Access Management AWS CloudGuard Key Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Persistence CloudGuard CDR AWS All Rules
D9.AWS.0.49438	Low	AdministratorAccess Permissions Attached to a User	Modification	Logic			D9.AWS.0.49438	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.AZU.512.64183	Critical	Azure Outbound Communication from Server DB Port to Malicious IP Address	Modification	Name	Azure Outbound communication from a Server DB port to a malicious IP	Azure Outbound Communication from Server DB Port to Malicious IP Address	D9.AZU.512.64183	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration CloudGuard CDR Azure All Rules
D9.AZU.107.71929	High	Azure Inbound Accepted Traffic from Malicious IP Address	Modification	Name Logic	Inbound Accepted Traffic From a Malicious IP Address	Azure Inbound Accepted Traffic from Malicious IP Address	D9.AZU.107.71929	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Command and Control CloudGuard CDR Azure All Rules
D9.AZU.512.86610	Critical	Azure Outbound Communication from Server Filesharing Port to Malicious IP Address	Modification	Name	Azure Outbound communication from an internal server file sharing port to a malicious IP	Azure Outbound Communication from Server Filesharing Port to Malicious IP Address	D9.AZU.512.86610	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration CloudGuard CDR Azure All Rules
D9.AZU.512.68557	Critical	Azure Outbound Communication from Server Remote Access Port to Malicious IP Address	Modification	Name	Azure Outbound communication from internal server remote access port to a malicious IP	Azure Outbound Communication from Server Remote Access Port to Malicious IP Address	D9.AZU.512.68557	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration CloudGuard CDR Azure All Rules
D9.AZU.512.25894	Low	Azure Outbound Response from Server DB Port to Malicious IP Address	Modification	Name	Azure Outbound Response from a Server DB port to a malicious IP	Azure Outbound Response from Server DB Port to Malicious IP Address	D9.AZU.512.25894	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration CloudGuard CDR Azure All Rules
D9.AZU.512.25639	Low	Azure Outbound Response from Server Filesharing Port to Malicious IP Address	Modification	Name	Azure Outbound Response from an internal server file sharing port to a malicious IP	Azure Outbound Response from Server Filesharing Port to Malicious IP Address	D9.AZU.512.25639	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration CloudGuard CDR Azure All Rules
D9.AZU.512.67901	Low	Azure Outbound Response from Server Remote Access Port to Malicious IP Address	Modification	Name	Azure Outbound Response from internal server remote access port to a malicious IP	Azure Outbound Response from Server Remote Access Port to Malicious IP Address	D9.AZU.512.67901	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration CloudGuard CDR Azure All Rules
D9.AZU.512.42349	Low	Azure Outbound Traffic to Compromised Server	Modification	Name	Outbound Traffic to a Compromised Server	Azure Outbound Traffic to Compromised Server	D9.AZU.512.42349	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access CloudGuard CDR Azure All Rules
D9.AZU.512.86161	Informational	Azure Outbound Traffic to Malicious IP Addresses	Modification	Name	Azure General Outbound Traffic to a malicious IP	Azure Outbound Traffic to Malicious IP Addresses	D9.AZU.512.86161	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration CloudGuard CDR Azure All Rules
D9.AWS.502.29977	Informational	CodeCommit GitPull Request	Modification	Logic			D9.AWS.502.29977	AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Collection CloudGuard CDR AWS All Rules
D9.AZU.512.93662	Informational	Azure Security Group Modification	Modification	Name	Security Group rule Modification	Azure Security Group Modification	D9.AZU.512.93662	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR Azure All Rules
D9.AZU.512.09562	High	Azure Outbound Traffic from VPC to Internet Destination using RDP	Modification	Name	Outbound Traffic From a VPC to an Internet Destination Using RDP	Azure Outbound Traffic from VPC to Internet Destination using RDP	D9.AZU.512.09562	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Lateral Movement CloudGuard CDR Azure All Rules
D9.AWS.502.28997	Informational	Discovery operation using multiple Describe or List APIs	Modification	Name Logic	Discovery operation using multiple Describe / List APIs	Discovery operation using multiple Describe or List APIs	D9.AWS.502.28997	AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Discovery CloudGuard CDR AWS All Rules
D9.GCP.515.44354	High	GCP Inbound Accepted Traffic from Malicious IP Address	Modification	Name Logic	Inbound Accepted Traffic From a Malicious IP Address	GCP Inbound Accepted Traffic from Malicious IP Address	D9.GCP.515.44354	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.AZU.101.02305	Critical	Azure Outbound Traffic to TOR Exit Node	Modification	Name	Outbound Traffic to Tor Exit Node	Azure Outbound Traffic to TOR Exit Node	D9.AZU.101.02305	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Command and Control CloudGuard CDR Azure All Rules
D9.AWS.502.49684	Medium	External DescribeVpcs Request	Modification	Logic			D9.AWS.502.49684	AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Discovery CloudGuard CDR AWS All Rules
D9.K8S.107.71929	High	Inbound Accepted Traffic to Kubernetes Cluster from Malicious IP Address	Modification	Name	Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address	Inbound Accepted Traffic to Kubernetes Cluster from Malicious IP Address	D9.K8S.107.71929	Kubernetes CloudGuard Best Practices
D9.GCP.515.45774	High	GCP Outbound Traffic from VPC to Internet Destination using RDP	Modification	Name	Outbound Traffic From VPC to Internet Destination Using RDP	GCP Outbound Traffic from VPC to Internet Destination using RDP	D9.GCP.515.45774	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.GCP.515.40828	Critical	GCP Outbound Traffic to Malicious IP Addresses	Modification	Name Logic	Outbound Traffic to Malicious IP Addresses	GCP Outbound Traffic to Malicious IP Addresses	D9.GCP.515.40828	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.GCP.515.47515	Critical	GCP Outbound Traffic to TOR Exit Node	Modification	Name	Outbound Traffic to Tor Exit Node	GCP Outbound Traffic to TOR Exit Node	D9.GCP.515.47515	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.AWS.108.97652	Medium	K8S SSH Access to Nodes from Pods	Modification	Name	K8S SSH Access to Nodes From Pods	K8S SSH Access to Nodes from Pods	D9.AWS.108.97652	Kubernetes CloudGuard Best Practices
D9.AWS.100.57034	Critical	EC2 AMI is made public in AWS	Modification	Name	EC2 AMI is made public in AWS.	EC2 AMI is made public in AWS	D9.AWS.100.57034	AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.K8S.522.86159	Critical	Outbound Kubernetes Traffic to Malicious IP Addresses	Modification	Name	Outbound Traffic to Malicious IP Addresses	Outbound Kubernetes Traffic to Malicious IP Addresses	D9.K8S.522.86159	Kubernetes CloudGuard Best Practices
D9.K8S.106.00673	High	Outbound Traffic to Internet Destination from DB Ports within Kubernetes Cluster	Modification	Name	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Outbound Traffic to Internet Destination from DB Ports within Kubernetes Cluster	D9.K8S.106.00673	Kubernetes CloudGuard Best Practices
D9.K8S.522.83805	Medium	Outbound Traffic from Kubernetes Cluster to Internet Destination Using SSH	Modification	Name	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Outbound Traffic from Kubernetes Cluster to Internet Destination Using SSH	D9.K8S.522.83805	Kubernetes CloudGuard Best Practices
D9.AWS.108.49195	High	Brute-force Attack on an S3 Bucket	Modification	Logic			D9.AWS.108.49195	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Serverless AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration CloudGuard CDR AWS All Rules
D9.K8S.522.02305	Critical	Outbound Traffic to TOR Exit Node from within Kubernetes Cluster	Modification	Name	Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster	Outbound Traffic to TOR Exit Node from within Kubernetes Cluster	D9.K8S.522.02305	Kubernetes CloudGuard Best Practices
D9.AWS.105.66271	Low	IAM Permissions Enumeration	Modification	Logic			D9.AWS.105.66271	AWS CloudGuard Identity and Access Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Discovery CloudGuard CDR AWS All Rules
D9.AZU.512.14996	Informational	Function Created	Modification	Logic			D9.AZU.512.14996	Azure CloudGuard Cloud Asset Management Azure CloudGuard Serverless Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Execution Azure MITRE ATT&CK ™ - Command and Control Azure MITRE ATT&CK ™ - Impact CloudGuard CDR Azure All Rules
D9.AWS.108.32796	Medium	Lambda DoS	Modification	Logic			D9.AWS.108.32796	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Serverless AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.107.92598	Medium	Lambda Layer Was Added From an External Account	Modification	Logic			D9.AWS.107.92598	AWS CloudGuard Cloud Asset Management AWS CloudGuard Serverless AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.102.25662	Medium	IAM Policy Allowing Privilege Escalation via EC2 Service	Modification	Logic			D9.AWS.102.25662	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.AZU.512.56100	Low	Large Number of Failed Logins to Azure	Modification	Logic			D9.AZU.512.56100	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Credential Access CloudGuard CDR Azure All Rules
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic			D9.AWS.105.87086	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery CloudGuard CDR AWS All Rules
D9.AWS.108.27256	Medium	Overly-Permissive Policy Attached to an SES Identity	Modification	Logic			D9.AWS.108.27256	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.AWS.108.42542	Low	Password Policy Change	Modification	Logic			D9.AWS.108.42542	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.AWS.108.88304	Medium	Overly-Permissive SQS Policy	Modification	Logic			D9.AWS.108.88304	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.GCP.515.48951	High	Port Scanning of an Internal Asset	Modification	Logic			D9.GCP.515.48951	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.AWS.108.80248	Medium	Overly-Permissive Lambda Permission	Modification	Logic			D9.AWS.108.80248	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Serverless AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR AWS All Rules
D9.AWS.502.49424	Informational	Port Scanning from the Internet	Modification	Logic			D9.AWS.502.49424	AWS CloudGuard Network Security AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Discovery CloudGuard CDR AWS All Rules
D9.AZU.512.17551	High	Port Scanning of an Internal Asset	Modification	Logic			D9.AZU.512.17551	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Discovery CloudGuard CDR Azure All Rules
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic			D9.AWS.105.7551	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices CloudGuard CDR AWS All Rules
D9.AWS.105.54069	High	Port Scan of Internal Asset From ECS	Modification	Logic			D9.AWS.105.54069	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Serverless AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Discovery CloudGuard CDR AWS All Rules
D9.AWS.502.81184	Low	S3 Bucket Object Collection Pattern	Modification	Logic			D9.AWS.502.81184	AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Collection CloudGuard CDR AWS All Rules
D9.AWS.0.88439	High	RDS Instance Password Changed	Modification	Logic			D9.AWS.0.88439	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.108.93965	Low	S3 Objects Deleted	Modification	Name	S3 Object/s Deleted	S3 Objects Deleted	D9.AWS.108.93965	AWS CloudGuard Cloud Asset Management AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.0.11261	Informational	Role Disassociated from Instance	Modification	Logic			D9.AWS.0.11261	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Account Activity AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.108.67850	High	RDS Instance Publicly Accessible	Modification	Logic			D9.AWS.108.67850	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Serverless AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.AWS.0.90316	Low	S3 Bucket Configurations Deleted	Modification	Logic			D9.AWS.0.90316	AWS CloudGuard Cloud Asset Management AWS CloudGuard Serverless AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.108.26846	Medium	S3 Bucket Versioning Suspended	Modification	Logic			D9.AWS.108.26846	AWS CloudGuard Cloud Asset Management AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.104.18467	Low	Several Failed Logins Attempts Followed by a Successful Login to Your AWS Console	Modification	Logic			D9.AWS.104.18467	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access CloudGuard CDR AWS All Rules
D9.AWS.108.44333	Critical	Successful API Request Originated From a Tor Exit Node	Modification	Logic			D9.AWS.108.44333	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Execution CloudGuard CDR AWS All Rules
D9.AWS.104.70939	Low	Successful Console Logins From More Than One User-Agent	Modification	Logic			D9.AWS.104.70939	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR AWS All Rules
D9.GCP.515.54560	Low	Suspicious DNS Packet Size	Modification	Logic			D9.GCP.515.54560	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.GCP.515.80600	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic			D9.GCP.515.80600	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.GCP.515.61003	Low	Suspicious NTP Packet Size	Modification	Logic			D9.GCP.515.61003	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.AWS.107.09957	Low	Suspicious DNS Packet Size	Modification	Logic			D9.AWS.107.09957	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Command and Control AWS MITRE ATT&CK ™ - Exfiltration CloudGuard CDR AWS All Rules
D9.GCP.515.97764	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic			D9.GCP.515.97764	GCP CloudGuard Network Traffic CloudGuard CDR GCP All Rules
D9.AZU.512.23090	Critical	Unauthorized actions under tenant scope	Modification	Name	Unauthorized actions under tenant’s scope	Unauthorized actions under tenant scope	D9.AZU.512.23090	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Lateral Movement CloudGuard CDR Azure All Rules
D9.AWS.107.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic			D9.AWS.107.37118	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Command and Control AWS MITRE ATT&CK ™ - Exfiltration CloudGuard CDR AWS All Rules
D9.AWS.108.25508	High	Suspicious StartSession Event Was Triggered	Modification	Logic			D9.AWS.108.25508	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Command and Control CloudGuard CDR AWS All Rules
D9.AWS.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic			D9.AWS.107.31878	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Command and Control AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AWS.103.40436	High	Temporary Credentials Created From Permanent User	Modification	Logic			D9.AWS.103.40436	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.AWS.108.63748	High	Unsecured Task Definition Created - hostPath	Modification	Logic			D9.AWS.108.63748	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Privilege Escalation CloudGuard CDR AWS All Rules
D9.AWS.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic			D9.AWS.107.65125	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Command and Control AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact CloudGuard CDR AWS All Rules
D9.AZU.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic			D9.AZU.107.31878	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure CloudGuard Best Practices None Azure MITRE ATT&CK ™ - Command and Control Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Impact CloudGuard CDR Azure All Rules
D9.AWS.108.54497	High	Unsecured Task Definition Created - Dangerous Capabilities	Modification	Logic			D9.AWS.108.54497	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules

October 16 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AWS.502.75889	High	Crypto mining terms have been identified	Modification	Logic			D9.AWS.502.75889	AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Impact

October 07 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AWS.103.87181	Medium	S3 Bucket Server Access Logs Disabled	New				D9.AWS.103.87181	AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.105.25835	Informational	CloudFront Function Created	New				D9.AWS.105.25835	AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Discovery
D9.AWS.100.57034	Critical	EC2 AMI is made public in AWS.	New				D9.AWS.100.57034	AWS CloudGuard Account Activity AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion CloudGuard CDR AWS All Rules
D9.AZU.512.43406	High	Anomalous Login to the Microsoft Entra Connect Synchronization Account	Modification	Name	Anomalous Login to the Azure AD Connect Synchronization Account	Anomalous Login to the Microsoft Entra Connect Synchronization Account	D9.AZU.512.43406	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure MITRE ATT&CK ™ - Lateral Movement Azure CloudGuard Best Practices CloudGuard CDR Azure All Rules

September 30 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.56418	High	Exploiting elevated user access Administrator role	Modification	Name	EXPLOITING ELEVATED USER ACCESS ADMINISTRATOR ROLE	Exploiting elevated user access Administrator role	D9.AZU.512.56418	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Lateral Movement

September 16 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.95565	High	Multitenant Access Configured for Azure App	Modification	Logic			D9.AZU.512.95565	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Collection
D9.AZU.512.93543	High	Admin Permissions Granted to AKS Cluster Service Account	Modification	Logic			D9.AZU.512.93543	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Lateral Movement Azure MITRE ATT&CK ™ - Privilege Escalation

September 05 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Rule ID	Affected Rulesets
D9.AZU.512.63813	High	User Assigned as Subscription Owner	New	D9.AZU.512.63813	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access
D9.AZU.512.95565	High	Multitenant Access Configured for Azure App	New	D9.AZU.512.95565	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Collection
D9.AZU.512.93543	High	Admin Permissions Granted to AKS Cluster Service Account	New	D9.AZU.512.93543	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Lateral Movement Azure MITRE ATT&CK ™ - Privilege Escalation
None	Medium	General Guard Duty Rule	Removal	None	AWS GuardDuty

August 11 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.56418	High	EXPLOITING ELEVATED USER ACCESS ADMINISTRATOR ROLE	Modification	Name	Exploiting elevated user access administrator role	EXPLOITING ELEVATED USER ACCESS ADMINISTRATOR ROLE	D9.AZU.512.56418	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Lateral Movement

August 06 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Rule ID	Affected Rulesets
D9.AZU.512.87013	High	Azure Firewall Rules Changed	New	D9.AZU.512.87013	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion
D9.AZU.512.65751	Low	Azure Active Directory PowerShell Sign-In	New	D9.AZU.512.65751	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access
D9.AWS.502.48632	High	S3 ACL Enumeration Attack	New	D9.AWS.502.48632	AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Discovery
D9.AZU.512.59482	Low	Write Permissions Added to Service Principal	New	D9.AZU.512.59482	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Persistence

July 24 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.73899	Critical	Suspicious Automation Tool Detected	Modification	Logic			D9.AZU.512.73899	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access

July 04 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.25639	Low	Azure Outbound Response from an internal server file sharing port to a malicious IP	Modification	Name	AZU Outbound Response from an internal server file sharing port to a malicious IP	Azure Outbound Response from an internal server file sharing port to a malicious IP	D9.AZU.512.25639	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.25894	Low	Azure Outbound Response from a Server DB port to a malicious IP	Modification	Name	AZU Outbound Response from a Server DB port to a malicious IP	Azure Outbound Response from a Server DB port to a malicious IP	D9.AZU.512.25894	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.64183	Critical	Azure Outbound communication from a Server DB port to a malicious IP	Modification	Name	AZU Outbound communication from a Server DB port to a malicious IP	Azure Outbound communication from a Server DB port to a malicious IP	D9.AZU.512.64183	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.42349	Low	Outbound Traffic to a Compromised Server	Modification	Logic			D9.AZU.512.42349	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access
D9.AZU.512.86610	Critical	Azure Outbound communication from an internal server file sharing port to a malicious IP	Modification	Name	AZU Outbound communication from an internal server file sharing port to a malicious IP	Azure Outbound communication from an internal server file sharing port to a malicious IP	D9.AZU.512.86610	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.86161	Informational	Azure General Outbound Traffic to a malicious IP	Modification	Name	AZU General Outbound Traffic to a malicious IP	Azure General Outbound Traffic to a malicious IP	D9.AZU.512.86161	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.67901	Low	Azure Outbound Response from internal server remote access port to a malicious IP	Modification	Name	AZU Outbound Response from internal server remote access port to a malicious IP	Azure Outbound Response from internal server remote access port to a malicious IP	D9.AZU.512.67901	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.68557	Critical	Azure Outbound communication from internal server remote access port to a malicious IP	Modification	Name	AZU Outbound communication from internal server remote access port to a malicious IP	Azure Outbound communication from internal server remote access port to a malicious IP	D9.AZU.512.68557	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration

June 24 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.78077	Informational	Azure Compute SSH Key pair Generated	New				D9.AZU.512.78077	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence
D9.AZU.512.91020	Low	Azure File Share modified.	New				D9.AZU.512.91020	Azure MITRE ATT&CK ™ - Persistence Azure CloudGuard Best Practices
D9.AZU.512.86161	Informational	AZU General Outbound Traffic to a malicious IP	Modification	Logic Severity	Critical	Informational	D9.AZU.512.86161	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.12198	Low	Azure Firewall Deleted	New				D9.AZU.512.12198	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion
D9.AZU.512.51624	Informational	Azure Compute SSH Key pair deleted	New				D9.AZU.512.51624	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Impact
D9.AWS.502.82906	Informational	Outbound Response from a Server Network Port to a Malicious IP	Modification	Logic Severity	Low	Informational	D9.AWS.502.82906	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AZU.512.21549	Critical	Azure Network Watcher was created or modified	New				D9.AZU.512.21549	Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Discovery
D9.AWS.502.95086	Critical	Outbound Communication from a Server Remote Access Port to a Malicious IP	Modification	Logic			D9.AWS.502.95086	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AZU.512.47677	Low	Azure managed disks snapshots were modified.	New				D9.AZU.512.47677	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Defense Evasion
D9.AZU.512.15433	Low	Azure Service Principal added	New				D9.AZU.512.15433	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Persistence
D9.AWS.502.62800	Medium	Outbound Response from a Server Remote Access Port to a Malicious IP	Modification	Logic			D9.AWS.502.62800	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.502.89983	Critical	Outbound Communication from a Server Network Port to a Malicious IP	Removal				D9.AWS.502.89983	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices

June 18 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.73899	Critical	Suspicious Automation Tool Detected	New				D9.AZU.512.73899	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access
D9.AZU.512.42349	Low	Outbound Traffic to a Compromised Server	New				D9.AZU.512.42349	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access

June 17 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Rule ID	Affected Rulesets
D9.AZU.512.86161	Critical	AZU General Outbound Traffic to a malicious IP	New		D9.AZU.512.86161	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.25894	Low	AZU Outbound Response from a Server DB port to a malicious IP	New		D9.AZU.512.25894	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.67901	Low	AZU Outbound Response from internal server remote access port to a malicious IP	New		D9.AZU.512.67901	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.25639	Low	AZU Outbound Response from an internal server file sharing port to a malicious IP	New		D9.AZU.512.25639	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.64183	Critical	AZU Outbound communication from a Server DB port to a malicious IP	New		D9.AZU.512.64183	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.86610	Critical	AZU Outbound communication from an internal server file sharing port to a malicious IP	New		D9.AZU.512.86610	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AZU.512.68557	Critical	AZU Outbound communication from internal server remote access port to a malicious IP	New		D9.AZU.512.68557	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Exfiltration
D9.AWS.502.41540	Critical	Outbound Communication from a Server File-sharing Port to a Malicious IP	New		D9.AWS.502.41540	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.502.54494	Critical	Outbound Communication from a Server DB Port to a Malicious IP	New		D9.AWS.502.54494	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.502.89983	Critical	Outbound Communication from a Server Network Port to a Malicious IP	New		D9.AWS.502.89983	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.502.95086	Critical	Outbound Communication from a Server Remote Access Port to a Malicious IP	New		D9.AWS.502.95086	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.502.62800	Medium	Outbound Response from a Server Remote Access Port to a Malicious IP	New		D9.AWS.502.62800	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.502.86161	Low	Outbound Response from a Server File-sharing Port to a Malicious IP	New		D9.AWS.502.86161	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.502.82906	Low	Outbound Response from a Server Network Port to a Malicious IP	New		D9.AWS.502.82906	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	D9.AWS.105.7551	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.502.62133	Low	Outbound Response from a Server DB Port to a Malicious IP	New		D9.AWS.502.62133	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Removal		D9.AWS.107.86159	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Exfiltration
D9.AZU.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Removal		D9.AZU.107.86159	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure CloudGuard Best Practices None Azure MITRE ATT&CK ™ - Exfiltration

June 06 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Rule ID	Affected Rulesets
D9.AZU.512.97932	Medium	A Microsoft Entra Custom Role Was Created with Owner Permissions	New	D9.AZU.512.97932	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence
D9.AZU.512.38978	Informational	Admin permissions attached to a User	New	D9.AZU.512.38978	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence
D9.AZU.512.23181	Informational	New User Created	New	D9.AZU.512.23181	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence
D9.AZU.512.55860	Low	A Role Has Been Updated	New	D9.AZU.512.55860	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence
D9.AZU.512.80236	Informational	Admin permissions attached to a Group	New	D9.AZU.512.80236	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence
D9.AZU.512.60844	Low	An Azure custom role was created with permissions to Active Directory	New	D9.AZU.512.60844	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.64788	Low	An Azure custom role was created with full action permissions	New	D9.AZU.512.64788	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.39261	Informational	SQL database Transparent Data Encryption Modified	New	D9.AZU.512.39261	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Impact
D9.AZU.512.56218	Informational	Blob Versioning were Disabled	New	D9.AZU.512.56218	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Impact Azure MITRE ATT&CK ™ - Execution
D9.AZU.512.94460	Medium	Company settings were modified	New	D9.AZU.512.94460	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Persistence
D9.AZU.512.47901	Informational	Network Security Groups were created or updated	New	D9.AZU.512.47901	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.84822	Low	Security info was changed	New	D9.AZU.512.84822	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.93662	Informational	Security Group rule Modification	New	D9.AZU.512.93662	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.46481	Informational	Network Security Groups were deleted	New	D9.AZU.512.46481	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.54312	Informational	User Added to a Group	New	D9.AZU.512.54312	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.21188	Informational	User Login Profile Updated	New	D9.AZU.512.21188	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Impact
D9.AZU.512.78321	Informational	Azure Virtual Network was Created or Modified.	New	D9.AZU.512.78321	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Persistence
D9.AZU.512.61204	Low	Azure Virtual Network Deleted.	New	D9.AZU.512.61204	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Impact Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Persistence

May 27 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Rule ID	Affected Rulesets
D9.AZU.512.84822	Low	Security info was changed	New	D9.AZU.512.84822	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.21983	Low	Security info Deleted	New	D9.AZU.512.21983	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.37384	Medium	User cancelled security info registration	New	D9.AZU.512.37384	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.20609	High	Admin deleted security info	New	D9.AZU.512.20609	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Credential Access
D9.AZU.512.85015	Medium	Admin updated security info	New	D9.AZU.512.85015	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Credential Access

May 26 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Rule ID	Affected Rulesets
D9.AZU.512.52853	Low	Create or Update Virtual Network Subnet	New	D9.AZU.512.52853	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Discovery
D9.AZU.512.82136	High	Auto Scale Instance Disabled	New	D9.AZU.512.82136	Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AZU.512.77122	Low	Azure File Share deleted	New	D9.AZU.512.77122	Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AZU.512.13719	Medium	AKS Cluster Deleted	New	D9.AZU.512.13719	Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AZU.512.99000	Medium	Create or Update Virtual Machine	New	D9.AZU.512.99000	Azure MITRE ATT&CK ™ - Impact Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Best Practices
D9.AZU.512.31736	Low	NAT Gateway Created or Updates	New	D9.AZU.512.31736	Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.50301	High	Network Firewall Diagnostic Setting Modified	New	D9.AZU.512.50301	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Credential Access Azure MITRE ATT&CK ™ - Discovery
D9.AZU.512.50341	Low	A Container App Instance Has Been Updated	New	D9.AZU.512.50341	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Impact Azure MITRE ATT&CK ™ - Execution

May 21 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.60724	Critical	Conditional Access Policy Deletion	New				D9.AZU.512.60724	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion
D9.AZU.512.16512	Medium	Conditional Access Policy Modification	New				D9.AZU.512.16512	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Defense Evasion

April 18 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.AZU.512.21827	High	Azure SUPERMAN Login	Modification	Logic			D9.AZU.512.21827	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Initial Access Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Credential Access

April 02 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Rule ID	Affected Rulesets
D9.AZU.512.15964	Critical	Active Directory high-privileged role assigned to non-user entity	New	D9.AZU.512.15964	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.96515	High	Elevated Azure Graph API permissions granted	New	D9.AZU.512.96515	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Lateral Movement Azure MITRE ATT&CK ™ - Privilege Escalation
D9.AZU.512.23090	Critical	Unauthorized actions under tenant’s scope	New	D9.AZU.512.23090	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Lateral Movement
D9.AZU.512.56418	High	Exploiting elevated user access administrator role	New	D9.AZU.512.56418	Azure CloudGuard Best Practices Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Lateral Movement

February 14 2024

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets

GSL ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Rule ID	Affected Rulesets
D9.K8S.522.83805	Medium	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic Severity	Informational	Medium	D9.K8S.522.83805	Kubernetes CloudGuard Best Practices
D9.K8S.522.44344	Medium	Outbound Traffic to a Compromised Server From a Kubernetes Cluster	Modification	Logic Severity	Low	Medium	D9.K8S.522.44344	Kubernetes CloudGuard Best Practices
D9.AWS.108.75279	Informational	EKS Cluster Deleted	Removal				D9.AWS.108.75279	Kubernetes CloudGuard Best Practices
D9.AWS.108.02076	Medium	Lack of Service Account Usage in Kubernetes Node	Removal				D9.AWS.108.02076	Kubernetes CloudGuard Best Practices
D9.AWS.108.12930	Low	EKS Cluster Control Plane Logs Disabled	Removal				D9.AWS.108.12930	Kubernetes CloudGuard Best Practices
D9.AWS.108.88809	Informational	Fargate Profile Created For Cluster	Removal				D9.AWS.108.88809	Kubernetes CloudGuard Best Practices

July 03 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.108.30061	Medium	Shared EBS Snapshot Was Copied by another AWS Account	Modification	Name Severity	Shared EBS Snapshot Was Copied by an External Account High	Shared EBS Snapshot Was Copied by another AWS Account Medium	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices

June 18 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.103.02144	Low	Abuse of unsuccessful AssumeRole	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Best Practices

May 28 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.28997	Informational	Discovery operation using multiple Describe / List APIs	Modification	Name Logic Severity	Multiple Describe APIs Detected Medium	Discovery operation using multiple Describe / List APIs Informational	AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices

April 23 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.82498	High	Access key used from multiple IPs	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices

March 30 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.77808	Medium	MFA failed attempts	Modification	Logic			AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.502.81184	Low	S3 Bucket Object Collection Pattern	Modification	Severity	High	Low	AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Collection

March 29 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AWS.0.75748	Informational	The trust policy of a role was modified to allow third party access	New		AWS CloudGuard Best Practices
D9.AWS.502.29977	Informational	CodeCommit GitPull Request	New		AWS CloudGuard Best Practices
D9.AWS.502.77808	Medium	MFA failed attempts	New		AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.502.93892	High	Malicious Source Address Detected in SES or SNS	New		AWS CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.502.81184	High	S3 Bucket Object Collection Pattern	New		AWS CloudGuard Best Practices AWS MITRE ATT&CK ™ - Collection

March 20 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.49684	Medium	External DescribeVpcs Request	New				AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.502.28997	Medium	Multiple Describe APIs Detected	New				AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices

March 05 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AWS.502.24751	Informational	Account Password Policy Discovery	New		AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AZU.512.86212	Informational	Attach Role to Key Vault	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.78826	Informational	Failed Login Attempts to Your AZURE Console Using an Invalid Username or Password	New		Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.101.50079	Informational	Security Group Modification	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AZU.512.55123	Low	Storage account key regenerate	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.502.35659	Critical	VPC Traffic Mirroring Session Created	New		AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Credential Access AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices

February 19 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AWS.0.89909	Informational	GuardDuty Disabled	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.502.94981	High	A Command Was Sent to All Managed Instances	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.108.02681	Low	A Container Has Been Stopped Due to Absence of an Attached Foreground Process	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.108.98942	Low	A Container Has Been Stopped Due to SIGKILL	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.108.93156	Low	A Container Has Been Stopped Due to SIGSEGV	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.108.51231	Low	A Container Has Been Stopped Due to SIGTERM	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.108.84400	Low	A Container Has Been Stopped Due to Application Error or Incorrect Reference	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless
D9.AWS.0.84417	Low	A New Overly-Permissive Policy Was Set to Default	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.502.54053	Informational	Abuse of Role Credentials	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.ALI.702.19961	Low	Abuse of Unsuccessful AssumeRole	Modification	Logic	Alibaba CloudGuard Best Practices
D9.AWS.103.02144	Low	Abuse of unsuccessful AssumeRole	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AZU.512.02147	Low	Abuse of unsuccessful Role assignments	New		Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AWS.102.06565	Medium	Administrator Permissions Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.74281	Low	Administrator Permissions Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.102.06361	Low	AdministratorAccess Permissions Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.49438	Low	AdministratorAccess Permissions Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.ALI.702.06360	Low	AdministratorAccess Permissions were attached to a Role	Modification	Logic	Alibaba CloudGuard Best Practices
D9.AWS.0.56594	Medium	Policy Containing All Resources Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.0.44855	Medium	Policy Containing All Resources Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.502.23667	High	IAM Policy Allowing Privilege Escalation via SSM Service	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.0.23097	Low	An Existing IAM Policy Version Was Set to Default	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.108.95360	Informational	An Image Was Pushed to a Repository	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution
D9.AWS.108.69243	Critical	An S3 object is Publicly Accessible	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.40041	Low	Azure App Role Assigned to Service Principals/Users/Groups	Modification	Logic	Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AWS.0.86206	Informational	Attach Role to Instance	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Account Activity
D9.AZU.512.86207	Informational	Attach Role to Virtual machine	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.0.17234	Informational	Attachment of User/Group/Role Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Account Activity
D9.AZU.512.21827	High	Azure SUPERMAN Login	Modification	Logic	Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Initial Access Azure CloudGuard Best Practices
D9.AZU.512.06380	Medium	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Logic	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.108.49195	High	Brute-force Attack on an S3 Bucket	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.0.71403	Medium	A Policy with IAM CRUD(CreateReadUpdateDelete) Permissions Was Attached to an IAM Identity	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.802.0	Informational	Ciem Trigger Event	Modification	Logic	None
D9.AWS.502.75889	High	Crypto mining terms have been identified	Modification	Logic	AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.502.73254	Low	EC2 created in multiple regions	Modification	Logic	AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.104.78825	Informational	Failed Login Attempts to Your AWS Console Using an Invalid Username	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.107.02069	Medium	FullAccess Permissions Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.87124	Medium	FullAccess Permissions Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.107.94125	Medium	Wide-Permissions Policy Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.502.83517	Medium	Wide-Permissions Policy Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AZU.512.37886	Low	Function Bindings Modified	Modification	Logic	Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.105.66271	Low	IAM Permissions Enumeration	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.33582	High	Image Scanning Disabled For Repository	Modification	Logic	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AZU.107.71929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.GCP.515.44354	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic	GCP CloudGuard Network Traffic
D9.K8S.107.71929	High	Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.107.1929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.105.14069	Low	Internal Rejected Traffic	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.AWS.105.14069	Low	Internal Rejected Traffic	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.97652	Medium	K8S SSH Access to Nodes From Pods	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AZU.512.17236	Informational	Key Vault has been created	New		Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.56100	Low	Large Number of Failed Logins to Azure	Modification	Logic	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.104.31471	Low	Large Number of Failed Logins to AWS console	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.ALI.702.16860	High	Login Attempt to Alibaba console From a Malicious IP Address	Modification	Logic	Alibaba CloudGuard Best Practices
D9.AZU.512.51420	Low	Azure Login Attempt With 2 Different User-Agents in a Short Time	Modification	Logic	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.104.70939	Low	Successful Console Logins From More Than One User-Agent	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.108.32872	Informational	Multiple New Instances Launched in a Short Period by a Specific User	Modification	Logic	AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.K8S.106.00673	High	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.106.00673	High	Outbound Traffic From DB Ports to Internet Destination	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration
D9.AWS.107.22364	High	Outbound Traffic From VPC to Internet Destination Using SMB	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.GCP.515.45774	High	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Logic	GCP CloudGuard Network Traffic
D9.AWS.107.09562	High	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.98731	Low	Outbound Traffic Suspected as Cryptomining Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.GCP.515.47515	Critical	Outbound Traffic to Tor Exit Node	Modification	Logic	GCP CloudGuard Network Traffic
D9.AWS.107.02305	Critical	Outbound Traffic to Tor Exit Node	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.40828	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Logic	GCP CloudGuard Network Traffic
D9.K8S.522.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.0.90746	High	Public S3 Bucket, Overly-Permissive Access Point Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.58711	High	Public S3 Bucket, Overly-Permissive Bucket Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.107.54705	Medium	Overly-Permissive IAM Policy Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.107.91925	Medium	Overly-Permissive IAM Policy Attached to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.80248	Medium	Overly-Permissive Lambda Permission	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.102.42790	Medium	Overly-Permissive Trust Policy Attached to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.27256	Medium	Overly-Permissive Policy Attached to an SES Identity	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AWS.502.35353	Medium	Overly-Permissive SNS Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AWS.108.88304	Medium	Overly-Permissive SQS Policy	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AZU.512.40042	Low	Owner Added to a Group	New		Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.40043	Low	Owner Removed from a Group	New		Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AWS.108.42542	Low	Password Policy Change	Modification	Logic	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.AZU.512.55554	Informational	Permissions Modified For Blob	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.55555	Informational	Permissions Modified For Storage account	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.55553	Informational	Permissions Modified For Table	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.106.95525	Medium	Permissions Scanning Attempt	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.K8S.105.87085	Medium	Ping Sweep Activity From Within a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.105.54069	High	Port Scan of Internal Asset From ECS	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.GCP.515.48951	High	Port Scanning of an Internal Asset	Modification	Logic	GCP CloudGuard Network Traffic
D9.K8S.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.103.82628	Low	Privilege Escalation via Policy Version	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.0.88439	High	RDS Instance Password Changed	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Serverless AWS CloudGuard Account Activity
D9.AWS.108.67850	High	RDS Instance Publicly Accessible	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.46487	Informational	Role Detached from Virtual machine	New		Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.104.44218	Medium	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.104.92018	High	Same User Login From Multiple Locations	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS CloudGuard Best Practices
D9.AWS.101.50079	Informational	Security Group Modification	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.106.83555	High	Successful API Request Originated From a Suspicious User-Agent	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AZU.512.85876	Critical	Successful API Request Originated From a Malicious IP Address	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Impact Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.108.74210	Critical	Successful API Request Originated From a Malicious IP Address	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.502.10631	High	Suspicious Command Was Sent to a Managed Instance	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Execution AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.09957	Low	Suspicious DNS Packet Size	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.GCP.515.54560	Low	Suspicious DNS Packet Size	Modification	Logic	GCP CloudGuard Network Traffic
D9.GCP.515.80600	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic	GCP CloudGuard Network Traffic
D9.AWS.107.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.GCP.515.61003	Low	Suspicious NTP Packet Size	Modification	Logic	GCP CloudGuard Network Traffic
D9.AZU.107.31879	Low	Suspicious NTP Packet Size From a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.97764	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic	GCP CloudGuard Network Traffic
D9.AWS.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.K8S.522.65125	Low	Suspicious NTP Packets Volume From a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.108.25508	High	Suspicious StartSession Event Was Triggered	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.101.97471	Low	Suspicious Outbound Traffic to a Phishing Server	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.108.32378	High	Public S3 Bucket, Overly-Permissive ACL	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.10767	High	Unsecured PassRole Permission Was Applied to a Role	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.17277	High	Unsecured PassRole Permission Was Applied to a User	Modification	Logic	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.29542	High	Unsecured Repository Created	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.83241	High	Unsecured Task Definition Created - Privileged Container	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.63748	High	Unsecured Task Definition Created - hostPath	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.85090	High	Unsecured Task Definition Created - Env Var and Command	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.502.56156	Informational	User Data has been modified	Modification	Logic	AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices

February 05 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.512.65556	Medium	Azure Admin Consent Was Launched	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AWS.0.56594	Medium	Policy Containing All Resources Attached to a Role	Modification	Severity	Low	Medium	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.108.69243	Critical	An S3 object is Publicly Accessible	Modification	Severity	High	Critical	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.40041	Low	Azure App Role Assigned to Service Principals/Users/Groups	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.06380	Medium	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Severity	High	Medium	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.512.03312	Medium	Credentials Were Added to an Azure AD Application	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.512.35494	Medium	Azure Credentials Were Added to an Azure AD Service Principal	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.107.02069	Medium	FullAccess Permissions Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.87124	Medium	FullAccess Permissions Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.K8S.107.71929	High	Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.522.19248	Medium	K8S Pod Access to Metadata	Modification	Severity	Low	Medium	Kubernetes CloudGuard Best Practices
D9.AWS.502.82498	High	Access key used from multiple IPs	New				AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.K8S.522.44344	Low	Outbound Traffic to a Compromised Server From a Kubernetes Cluster	Modification	Severity	Medium	Low	Kubernetes CloudGuard Best Practices
D9.AZU.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.103.15235	High	Suspicious EC2 Instance Without KeyPair Was Launched	Removal				AWS CloudGuard Key Management AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices

January 22 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.0.84417	Low	A New Overly-Permissive Policy Was Set to Default	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.103.02144	Low	Abuse of unsuccessful AssumeRole	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.0.56594	Low	Policy Containing All Resources Attached to a Role	Modification	Logic Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.0.44855	Medium	Policy Containing All Resources Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Best Practices
D9.AWS.108.69243	High	An S3 object is Publicly Accessible	Modification	Name Logic Severity	An S3 object is Public Accessible Critical	An S3 object is Publicly Accessible High	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.107.02069	Medium	FullAccess Permissions Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.87124	Medium	FullAccess Permissions Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.107.94125	Medium	Wide-Permissions Policy Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.502.83517	Medium	Wide-Permissions Policy Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.103.07409	Low	Lambda Function Code Was Updated by an Entity Which Assumed a Role	Modification	Name	Lambda Function Code Was Updated by an Enitity Which Assumed a Role	Lambda Function Code Was Updated by an Entity Which Assumed a Role	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.0.90746	High	Public S3 Bucket, Overly-Permissive Access Point Policy	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.58711	High	Public S3 Bucket, Overly-Permissive Bucket Policy	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.107.54705	Medium	Overly-Permissive IAM Policy Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.107.91925	Medium	Overly-Permissive IAM Policy Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.80248	Medium	Overly-Permissive Lambda Permission	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.102.42790	Medium	Overly-Permissive Trust Policy Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.27256	Medium	Overly-Permissive Policy Attached to an SES Identity	Modification	Name Logic	Overly-Permissive Policy Attached to an SES Idnetity	Overly-Permissive Policy Attached to an SES Identity	AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AWS.108.88304	Medium	Overly-Permissive SQS Policy	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.AWS.502.49424	Informational	Port Scanning from the Internet	New				AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.32378	High	Public S3 Bucket, Overly-Permissive ACL	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.17277	High	Unsecured PassRole Permission Was Applied to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices

January 16 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.108.37464	Low	A Task on ECS Has Stopped Unexpectedly	Modification	Severity	Medium	Low	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact
D9.ALI.702.19961	Low	Abuse of Unsuccessful AssumeRole	Modification	Severity	Medium	Low	Alibaba CloudGuard Best Practices
D9.AWS.103.02144	Low	Abuse of unsuccessful AssumeRole	Modification	Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.102.06361	Low	AdministratorAccess Permissions Attached to a Role	Modification	Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.ALI.702.06360	Low	AdministratorAccess Permissions were attached to a Role	Modification	Severity	Medium	Low	Alibaba CloudGuard Best Practices
D9.AWS.108.95360	Informational	An Image Was Pushed to a Repository	Modification	Severity	Low	Informational	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution
D9.AWS.108.69243	Critical	An S3 object is Public Accessible	Modification	Severity	High	Critical	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.40041	Low	Azure App Role Assigned to Service Principals/Users/Groups	Modification	Severity	Medium	Low	Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Persistence Azure MITRE ATT&CK ™ - Privilege Escalation Azure MITRE ATT&CK ™ - Defense Evasion Azure CloudGuard Best Practices
D9.AZU.512.06380	High	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Severity	Medium	High	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.512.46271	Informational	Blob Deleted	Modification	Severity	Low	Informational	Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.0.86971	Informational	CloudWatch Log Group Created	Modification	Severity	Low	Informational	AWS CloudGuard Cloud Asset Management AWS CloudGuard Account Activity
D9.AWS.108.39020	Low	VPC Deleted	Modification	Severity	Medium	Low	AWS CloudGuard Network Security AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact
D9.AWS.108.36215	Critical	EBS Snapshot Permission Modified to Public Access	Modification	Severity	Medium	Critical	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.30061	High	Shared EBS Snapshot Was Copied by an External Account	Modification	Severity	Low	High	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.104.78825	Informational	Failed Login Attempts to Your AWS Console Using an Invalid Username	Modification	Severity	Low	Informational	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.0.87124	Medium	FullAccess Permissions Attached to a User	Modification	Severity	Low	Medium	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AZU.512.81115	Low	Function App Host Master Key Modified	Modification	Severity	Medium	Low	Azure CloudGuard Identity and Access Management Azure CloudGuard Key Management Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Credential Access Azure MITRE ATT&CK ™ - Impact Azure MITRE ATT&CK ™ - Execution Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AWS.108.12930	Low	EKS Cluster Control Plane Logs Disabled	Modification	Severity	Medium	Low	Kubernetes CloudGuard Best Practices
D9.AWS.104.18467	Low	Several Failed Logins Attempts Followed by a Successful Login to Your AWS Console	Modification	Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access
D9.AWS.108.92844	High	Login Attempt to AWS Console From a Malicious IP Address	Modification	Severity	Critical	High	AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.ALI.702.16860	High	Login Attempt to Alibaba console From a Malicious IP Address	Modification	Severity	Critical	High	Alibaba CloudGuard Best Practices
D9.AZU.512.69098	High	Login Attempt to Azure From a Malicious IP Address	Modification	Severity	Critical	High	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AWS.108.48576	Low	Modification Subnet Attributes	Modification	Severity	Medium	Low	AWS CloudGuard Network Security AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.K8S.106.00673	High	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Severity	Medium	High	Kubernetes CloudGuard Best Practices
D9.AWS.106.00673	High	Outbound Traffic From DB Ports to Internet Destination	Modification	Severity	Low	High	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration
D9.AWS.107.22364	High	Outbound Traffic From VPC to Internet Destination Using SMB	Modification	Severity	Low	High	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.512.09562	High	Outbound Traffic From a VPC to an Internet Destination Using RDP	Modification	Severity	Medium	High	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.45774	High	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Severity	Informational	High	GCP CloudGuard Network Traffic
D9.AWS.107.09562	High	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Severity	Informational	High	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AZU.101.02305	Critical	Outbound Traffic to Tor Exit Node	Modification	Severity	High	Critical	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.47515	Critical	Outbound Traffic to Tor Exit Node	Modification	Severity	High	Critical	GCP CloudGuard Network Traffic
D9.K8S.522.02305	Critical	Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster	Modification	Severity	Medium	Critical	Kubernetes CloudGuard Best Practices
D9.AWS.107.02305	Critical	Outbound Traffic to Tor Exit Node	Modification	Severity	High	Critical	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.04785	High	Suspicious Outbound Traffic to a Suspected CnC Server	Modification	Severity	Medium	High	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Severity	High	Critical	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.GCP.515.40828	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Severity	High	Critical	GCP CloudGuard Network Traffic
D9.K8S.522.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Severity	High	Critical	Kubernetes CloudGuard Best Practices
D9.AWS.107.86159	Critical	Outbound Traffic to Malicious IP Addresses	Modification	Severity	High	Critical	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.102.42790	Medium	Overly-Permissive Trust Policy Attached to a Role	Modification	Severity	High	Medium	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Best Practices
D9.AWS.108.42542	Low	Password Policy Change	Modification	Severity	Medium	Low	AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.AWS.108.67850	High	RDS Instance Publicly Accessible	Modification	Severity	Medium	High	AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.48158	Low	S3 Bucket Deleted	Modification	Severity	Medium	Low	AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.106.91932	High	Series of Enumeration API Calls Executed in Several Regions	Modification	Severity	Medium	High	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.108.25508	High	Suspicious StartSession Event Was Triggered	Modification	Severity	Critical	High	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices

January 15 2023

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AZU.512.21827	High	Azure SUPERMAN Login	Modification	Logic			Azure CloudGuard Identity and Access Management Azure MITRE ATT&CK ™ - Initial Access Azure CloudGuard Best Practices
D9.AZU.512.06380	Medium	Same User Login Attempt From Multiple Sources in a Short Period	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.522.19248	Low	K8S Pod Access to Metadata	Modification	Logic Severity	High	Low	Kubernetes CloudGuard Best Practices
D9.K8S.522.83805	Informational	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AZU.512.09562	Medium	Outbound Traffic From a VPC to an Internet Destination Using RDP	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.K8S.522.02305	Medium	Outbound Traffic to Tor Exit Node From Within a Kubernetes Cluster	Modification	Logic Severity	High	Medium	Kubernetes CloudGuard Best Practices
D9.K8S.522.44344	Medium	Outbound Traffic to a Compromised Server From a Kubernetes Cluster	Modification	Logic Severity	Low	Medium	Kubernetes CloudGuard Best Practices
D9.K8S.522.04785	Low	Suspicious Outbound Traffic to a CnC Server From a Kubernetes Cluster	Modification	Name Logic	Suspicious Outbound Traffic as Backdoor to a CnC Server From a Kubernetes Cluster	Suspicious Outbound Traffic to a CnC Server From a Kubernetes Cluster	Kubernetes CloudGuard Best Practices
D9.K8S.522.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AZU.512.17551	High	Port Scanning of an Internal Asset	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AZU.512.09957	Low	Suspicious DNS Packet Size	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.K8S.522.09957	Low	Suspicious DNS Packet Size From a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AZU.512.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.K8S.522.37118	Low	Suspicious DNS Packets Volume From a Kubernetes Pod	Modification	Name Logic	Suspicious DNS Packets Volume Per Session From a Kubernetes Pod	Suspicious DNS Packets Volume From a Kubernetes Pod	Kubernetes CloudGuard Best Practices
D9.AZU.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AZU.512.31179	Medium	Large Number of Failed Logins Followed by a Successful Login to Your Azure Account	Removal				Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices

December 25 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AZU.512.37886	Low	Function Bindings Modified	Modification	Logic	Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.51420	Low	Azure Login Attempt With 2 Different User-Agents in a Short Time	Modification	Logic	Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.101.02305	High	Outbound Traffic to Tor Exit Node	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AZU.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices

December 11 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.54053	Informational	Abuse of Role Credentials	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.K8S.107.71929	High	Inbound Accepted Traffic to a Kubernetes Cluster From a Malicious IP Address	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.107.1929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AZU.512.56100	Low	Large Number of Failed Logins to Azure	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.108.32872	Informational	Multiple New Instances Launched in a Short Period by a Specific User	Modification	Logic Severity	Low	Informational	AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.106.00673	Low	Outbound Traffic From DB Ports to Internet Destination	Modification	Logic Severity	Medium	Low	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration
D9.AWS.0.83805	Informational	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AZU.105.17551	High	Port Scanning of an Internal Asset	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.K8S.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.101.50079	Informational	Security Group Modification	Modification	Logic Severity	Medium	Informational	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Exfiltration AWS CloudGuard Best Practices
D9.AWS.101.97471	Low	Suspicious Outbound Traffic to a Phishing Server	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices

November 28 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.502.54053	Informational	Abuse of Role Credentials	New				AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.AWS.502.75889	High	Crypto mining terms have been identified	New				AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.502.73254	Low	EC2 created in multiple regions	New				AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AZU.107.71929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AZU.512.56100	Low	Large Number of Failed Logins to Azure	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AZU.512.69098	Critical	Login Attempt to Azure From a Malicious IP Address	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Credential Access Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.AZU.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.502.35353	Medium	Overly-Permissive SNS Policy	Modification	Logic			AWS CloudGuard Identity and Access Management AWS CloudGuard Cloud Asset Management AWS CloudGuard Best Practices
D9.K8S.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.K8S.522.65125	Low	Suspicious NTP Packets Volume From a Kubernetes Pod	Modification	Name Logic	Suspicious NTP Packets Volume Per Session From a Kubernetes Pod	Suspicious NTP Packets Volume From a Kubernetes Pod	Kubernetes CloudGuard Best Practices
D9.AWS.108.63748	High	Unsecured Task Definition Created - hostPath	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.85090	High	Unsecured Task Definition Created - Env Var and Command	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.502.56156	Informational	User Data has been modified	New				AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.104.99097	High	Abuse of Access Token Generated by STS Dedicated For Lambda	Removal				AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.104.50303	High	Abuse of Access Token Generated by STS Dedicated For EC2	Removal				AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Best Practices
D9.AWS.108.40808	Critical	Abuse of Access Token Generated by STS Dedicated for ECS	Removal				AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.55223	Critical	Abuse of Access Token Generated by STS Dedicated For Kubernetes Node Group	Removal				Kubernetes CloudGuard Best Practices
D9.AWS.108.13381	Critical	Abuse of Access Token Generated by STS Dedicated For Kubernetes Pod	Removal				AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AZU.512.87418	Low	Container Deleted	Removal				Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.512.80640	Informational	Container Created	Removal				Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Collection Azure MITRE ATT&CK ™ - Execution Azure CloudGuard Serverless Azure CloudGuard Best Practices

November 13 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AZU.512.37886	Low	Function Bindings Modified	Modification	Logic	Azure CloudGuard Cloud Asset Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Serverless Azure CloudGuard Best Practices
D9.AZU.107.71929	High	Inbound Accepted Traffic From a Malicious IP Address	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Impact Azure CloudGuard Best Practices
D9.K8S.106.00673	Medium	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AZU.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices

November 07 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AZU.105.14069	Low	Internal Rejected Traffic	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.K8S.106.00673	Medium	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AZU.107.09562	Medium	Outbound Traffic From a VPC to an Internet Destination Using RDP	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.K8S.105.87085	Medium	Ping Sweep Activity From Within a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices

November 06 2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Affected Rulesets
D9.AZU.105.14069	Low	Internal Rejected Traffic	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.AWS.105.14069	Low	Internal Rejected Traffic	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.19248	High	K8S Pod Access to Metadata	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.108.97652	Medium	K8S SSH Access to Nodes From Pods	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.K8S.106.00673	Medium	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.106.00673	Medium	Outbound Traffic From DB Ports to Internet Destination	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.107.22364	Low	Outbound Traffic From VPC to Internet Destination Using SMB	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.0.83805	Informational	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AZU.107.09562	Medium	Outbound Traffic From a VPC to an Internet Destination Using RDP	Modification	Logic	Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Exfiltration Azure MITRE ATT&CK ™ - Command and Control Azure CloudGuard Best Practices
D9.AWS.107.09562	Informational	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.98731	Low	Outbound Traffic Suspected as Cryptomining Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.02305	High	Outbound Traffic to Tor Exit Node	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.04785	Medium	Suspicious Outbound Traffic to a Suspected CnC Server	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.K8S.105.87085	Medium	Ping Sweep Activity From Within a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.105.54069	High	Port Scan of Internal Asset From ECS	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic	Kubernetes CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.107.09957	Low	Suspicious DNS Packet Size	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.101.97471	Low	Suspicious Outbound Traffic to a Phishing Server	Modification	Logic	AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.54497	High	Unsecured Task Definition Created - Dangerous Capabilities	Modification	Logic	AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.AWS.108.64899	Medium	Unusual Exposed Ports on Instance	Modification	Logic	AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices
D9.K8S.108.98731	Low	Outbound Traffic From a Kubernetes Cluster Suspected as Cryptomining Activity	Removal		Kubernetes CloudGuard Best Practices

October 30 2022

Note: This is the first RN, Include all changes from 11.09.2022 to 30.10.2022

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets

Rule ID	Severity	Rule Name	Change Type	Updated Content	Before	After	Affected Rulesets
D9.AWS.0.89909	Informational	GuardDuty Disabled	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.0.22599	Low	GuardDuty Suspended	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Identity and Access Management AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Credential Access AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution AWS CloudGuard Best Practices
D9.AWS.102.06565	Medium	Administrator Permissions Attached to a Role	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.0.74281	Low	Administrator Permissions Attached to a User	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Persistence AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Defense Evasion AWS CloudGuard Serverless AWS CloudGuard Account Activity AWS CloudGuard Best Practices
D9.AWS.105.66271	Low	IAM Permissions Enumeration	Modification	Logic			AWS CloudGuard Identity and Access Management AWS MITRE ATT&CK ™ - Privilege Escalation AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AZU.105.14069	Low	Internal Rejected Traffic	Modification	Logic			Azure CloudGuard Network Security Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Discovery Azure CloudGuard Best Practices
D9.AWS.105.14069	Low	Internal Rejected Traffic	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.AWS.108.19248	High	K8S Pod Access to Metadata	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.108.97652	Medium	K8S SSH Access to Nodes From Pods	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.ALI.702.16860	Critical	Login Attempt to Alibaba console From a Malicious IP Address	Modification	Name	Login Attempt to AWS console From a Malicious IP Address	Login Attempt to Alibaba console From a Malicious IP Address	Alibaba CloudGuard Best Practices
D9.K8S.106.00673	Medium	Outbound Traffic From DB Ports Within a Kubernetes Cluster to Internet Destination	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.106.00673	Medium	Outbound Traffic From DB Ports to Internet Destination	Modification	Logic			AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.107.22364	Low	Outbound Traffic From VPC to Internet Destination Using SMB	Modification	Logic			AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.0.83805	Informational	Outbound Traffic From a Kubernetes Cluster to Internet Destination Using SSH	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.107.09562	Informational	Outbound Traffic From VPC to Internet Destination Using RDP	Modification	Logic			AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.98731	Low	Outbound Traffic Suspected as Cryptomining Activity	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.02305	High	Outbound Traffic to Tor Exit Node	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.04785	Medium	Suspicious Outbound Traffic to a Suspected CnC Server	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.86159	High	Outbound Traffic to Malicious IP Addresses	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.K8S.105.87085	Medium	Ping Sweep Activity From Within a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.105.87086	Medium	Ping Sweep Activity	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery
D9.AWS.105.54069	High	Port Scan of Internal Asset From ECS	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.105.17551	High	Port Scanning of an Internal Asset From a Kubernetes Pod	Modification	Logic			Kubernetes CloudGuard Best Practices
D9.AWS.105.7551	High	Port Scanning of an Internal Asset	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS CloudGuard Best Practices
D9.GCP.514.992293	Informational	Project IAM Policy Updated	Modification	Logic			GCP CloudGuard Account Activity
D9.GCP.514.62109	Informational	Service Account IAM Policy Updated	Modification	Logic			GCP CloudGuard Account Activity
D9.AZU.512.41592	Low	Successful Login Without MFA	Modification	Logic			Azure CloudGuard Identity and Access Management Azure CloudGuard Vulnerability and Threat Management Azure MITRE ATT&CK ™ - Initial Access Azure MITRE ATT&CK ™ - Defense Evasion Azure MITRE ATT&CK ™ - Credential Access Azure CloudGuard Best Practices
D9.AWS.107.09957	Low	Suspicious DNS Packet Size	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.37118	Low	Suspicious DNS Packets Volume Per Session	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.108.44909	High	Suspicious ECS Task Has Been Executed	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Impact AWS MITRE ATT&CK ™ - Execution
D9.AWS.107.31878	Low	Suspicious NTP Packet Size	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.107.65125	Low	Suspicious NTP Packets Volume Per Session	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Discovery AWS MITRE ATT&CK ™ - Command and Control AWS CloudGuard Best Practices
D9.AWS.101.97471	Low	Suspicious Outbound Traffic to a Phishing Server	Modification	Logic			AWS CloudGuard Network Security AWS CloudGuard Vulnerability and Threat Management AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Command and Control
D9.AWS.108.83241	High	Unsecured Task Definition Created - Privileged Container	Modification	Logic			AWS CloudGuard Vulnerability and Threat Management AWS CloudGuard Cloud Asset Management AWS MITRE ATT&CK ™ - Initial Access AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Serverless AWS CloudGuard Best Practices
D9.AWS.108.64899	Medium	Unusual Exposed Ports on Instance	Modification	Logic			AWS CloudGuard Network Security AWS MITRE ATT&CK ™ - Defense Evasion AWS MITRE ATT&CK ™ - Collection AWS MITRE ATT&CK ™ - Exfiltration AWS MITRE ATT&CK ™ - Impact AWS CloudGuard Best Practices

CloudGuard Intelligence Updates

November 11 2024

November 04 2024

October 16 2024

October 07 2024

September 30 2024

September 16 2024

September 05 2024

August 11 2024

August 06 2024

July 24 2024

July 04 2024

June 24 2024

June 18 2024

June 17 2024

June 06 2024

May 27 2024

May 26 2024

May 21 2024

April 18 2024

April 02 2024

February 14 2024

July 03 2023

June 18 2023

May 28 2023

April 23 2023

March 30 2023

March 29 2023

March 20 2023

March 05 2023

February 19 2023

February 05 2023

January 22 2023

January 16 2023

January 15 2023

December 25 2022

December 11 2022

November 28 2022

November 13 2022

November 07 2022

November 06 2022

October 30 2022