PyPI - nldcsc-elastic-rules - Versions diffs - 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl - Mend

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

nldcsc_elastic_rules/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2025/04/11"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/09/02"
+updated_date = "2025/12/04"
 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ note = """## Triage and Analysis
 Access tokens are bound to a single user. Usage from multiple IP addresses may indicate the token was stolen and used elsewhere. By correlating this with additional detection criteria like multiple user agents, different cities, and different networks, we can improve the fidelity of the rule and help to eliminate false positives associated with expected behavior, like dual-stack IPV4/IPV6 usage.
-#### Possible Investigation Steps
+#### Possible investigation steps
 - **Identify the IAM User**: Examine the `aws.cloudtrail.user_identity.arn` stored in `user_id` and correlate with the `source.ips` stored in `ip_list` and `unique_ips` count to determine how widely the token was used.
 - **Correlate Additional Detection Context**: Examine `activity_type` and `fidelity_score` to determine additional cities, networks or user agents associated with the token usage.
@@ -44,18 +44,18 @@ Access tokens are bound to a single user. Usage from multiple IP addresses may i
 - **Review Workload Context**: Confirm whether the user was expected to be active across multiple cities, networks or user agent environments.
 - **Trace Adversary Movement**: Pivot to related actions (e.g., `s3:ListBuckets`, `iam:ListUsers`, `sts:GetCallerIdentity`) to track further enumeration.
-### False Positive Analysis
+### False positive analysis
 - Automation frameworks that rotate through multiple IPs or cloud functions with dynamic egress IPs may cause this alert to fire.
 - Confirm geolocation and workload context before escalating.
-### Response and Remediation
+### Response and remediation
 - **Revoke the Token**: Disable or rotate the IAM credentials and invalidate the temporary session token.
 - **Audit the Environment**: Look for signs of lateral movement or data access during the token's validity.
 - **Strengthen Controls**: Require MFA for high-privilege actions, restrict access via policy conditions (e.g., IP range or device).
-### References
+### Additional information
 - [IAM Long-Term Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
 - [STS Temporary Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
@@ -99,7 +99,8 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
     "health.amazonaws.com", "monitoring.amazonaws.com", "notifications.amazonaws.com",
     "ce.amazonaws.com", "cost-optimization-hub.amazonaws.com",
     "servicecatalog-appregistry.amazonaws.com", "securityhub.amazonaws.com",
-    "account.amazonaws.com", "budgets.amazonaws.com", "freetier.amazonaws.com"
+    "account.amazonaws.com", "budgets.amazonaws.com", "freetier.amazonaws.com", "support.amazonaws.com",
+    "support-console.amazonaws.com"
   )
 | eval
@@ -114,7 +115,8 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
   Esql.source_geo_city_name = source.geo.city_name,
   Esql.source_network_org_name = `source.as.organization.name`,
   Esql.source_ip_network_pair = concat(Esql.source_ip_string, "-", `source.as.organization.name`),
-  Esql.event_timestamp = @timestamp
+  Esql.event_timestamp = @timestamp,
+  Esql.data_stream_namespace = data_stream.namespace
 | stats
   Esql.event_action_values = values(event.action),
@@ -132,6 +134,7 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
   Esql.user_agent_original_count_distinct = count_distinct(Esql.user_agent_original),
   Esql.source_geo_city_name_count_distinct = count_distinct(Esql.source_geo_city_name),
   Esql.source_network_org_name_count_distinct = count_distinct(Esql.source_network_org_name),
+  Esql.data_stream_namespace_values = values(Esql.data_stream_namespace),
   Esql.timestamp_first_seen = min(Esql.event_timestamp),
   Esql.timestamp_last_seen = max(Esql.event_timestamp),
   Esql.event_count = count()
@@ -175,9 +178,15 @@ from logs-aws.cloudtrail* metadata _id, _version, _index
   Esql.source_ip_count_distinct,
   Esql.user_agent_original_count_distinct,
   Esql.source_geo_city_name_count_distinct,
-  Esql.source_network_org_name_count_distinct
+  Esql.source_network_org_name_count_distinct,
+  Esql.data_stream_namespace_values
+| where Esql.activity_fidelity_score == "high"
+// this rule only alerts for "high" fidelity cases, to broaden the rule scope to include all activity
+// change the final condition to
+// | where Esql.activity_type != "normal_activity"
-| where Esql.activity_type != "normal_activity"
 '''
 [rule.investigation_fields]
@@ -201,7 +210,8 @@ field_names = [
       "Esql.source_ip_count_distinct",
       "Esql.user_agent_original_count_distinct",
       "Esql.source_geo_city_name_count_distinct",
-      "Esql.source_network_org_name_count_distinct"
+      "Esql.source_network_org_name_count_distinct",
+      "Esql.data_stream_namespace_values"
 ]

nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/07/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/18"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 50
@@ -112,3 +112,37 @@ tags = [
 ]
 type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat.technique]]
+id = "T1526"
+name = "Cloud Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1526/"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"

nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/07/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/18"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 50
@@ -114,3 +114,61 @@ tags = [
 ]
 type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"
+[[rule.threat.technique]]
+id = "T1526"
+name = "Cloud Service Discovery"
+reference = "https://attack.mitre.org/techniques/T1526/"
+[[rule.threat.technique]]
+id = "T1580"
+name = "Cloud Infrastructure Discovery"
+reference = "https://attack.mitre.org/techniques/T1580/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0004"
+name = "Privilege Escalation"
+reference = "https://attack.mitre.org/tactics/TA0004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"

nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/07/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/18"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 50
@@ -116,3 +116,21 @@ tags = [
 ]
 type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"

nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/07/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/18"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 50
@@ -116,3 +116,21 @@ tags = [
 ]
 type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"

nldcsc_elastic_rules/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml CHANGED Viewed

@@ -2,7 +2,7 @@
 creation_date = "2020/07/13"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2024/06/18"
+updated_date = "2025/11/18"
 [rule]
 anomaly_threshold = 75
@@ -114,3 +114,60 @@ tags = [
 ]
 type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+[[rule.threat.technique.subtechnique]]
+id = "T1078.004"
+name = "Cloud Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/004/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+[[rule.threat.technique]]
+id = "T1021"
+name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.007"
+name = "Cloud Services"
+reference = "https://attack.mitre.org/techniques/T1021/007/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[rule.threat.tactic]
+id = "TA0010"
+name = "Exfiltration"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+[[rule.threat.technique]]
+id = "T1041"
+name = "Exfiltration Over C2 Channel"
+reference = "https://attack.mitre.org/techniques/T1041/"

nldcsc_elastic_rules/rules/integrations/aws/persistence_rds_db_instance_password_modified.toml CHANGED Viewed

@@ -2,16 +2,23 @@
 creation_date = "2024/06/27"
 integration = ["aws"]
 maturity = "production"
-updated_date = "2025/01/10"
+updated_date = "2025/11/24"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation.
+Identifies the modification of the master password for an AWS RDS DB instance or cluster. Changing the master password
+is a legitimate recovery action when access is lost, but adversaries with sufficient permissions may modify it to regain
+access, establish persistence, bypass existing controls, or escalate privileges within a compromised environment.
+Because RDS does not expose the password in API responses, this operation can meaningfully alter access pathways to
+sensitive data stores.
 """
+event_category_override = "event.type"
 false_positives = [
     """
-    Master password change is a legitimate means to regain access to a DB instance in the case of a lost password. Ensure that the instance should not be modified in this way before taking action.
+    Master password modification may occur during legitimate administrative recovery (e.g., a lost password, rotation
+    event, or Secrets Manager reassociation). Validate whether the change was expected, approved, and performed by
+    authorized personnel. If known workflows routinely perform this action, consider adding targeted exceptions.
     """,
 ]
 from = "now-6m"
@@ -19,40 +26,86 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 language = "eql"
 license = "Elastic License v2"
 name = "AWS RDS DB Instance or Cluster Password Modified"
-note = """
-## Triage and analysis
+note = """## Triage and analysis
-### Investigating AWS RDS DB Instance or Cluster Password Modified
-This rule identifies when an RDS DB instance or cluster password is modified. While changing the master password is a legitimate means to regain access in the case of a lost password, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment.
-#### Possible Investigation Steps
-- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.
-- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the masterUserPassword parameter was changed.
-    - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance.
-- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it.
-- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.
-- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.
-- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.
-### False Positive Analysis
-- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks.
-- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.
-### Response and Remediation
-- **Immediate Review and Reversal**: If the change was unauthorized, update the instance password. If the master user password was managed with AWS Secrets Manager, determine whether the `manageMasterUserPassword` attribute was changed to false and revert if necessary.
-- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.
-- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.
-- **Policy Update**: Review and possibly update your organization’s policies on DB instance access to tighten control and prevent unauthorized access.
-- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance.
+> While every effort has been made to ensure its quality, validate and adapt it to suit your operational needs.
-### Additional Information:
+### Investigating AWS RDS DB Instance or Cluster Password Modified
-For further guidance on managing DB instances and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:
-- [AWS RDS ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)
-- [Amazon RDS and Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)
+The RDS master user password controls privileged access to a database instance or cluster. Modifying it can immediately shift access from one operator to another, break application functionality, or allow an adversary to regain control over a compromised DB instance. Because RDS never returns the password via API, this operation is a strong signal of intentional access reconfiguration.
+This rule detects successful password-modification events via `ModifyDBInstance` or `ModifyDBCluster`. Such changes may indicate credential loss recovery—or malicious actions related to persistence, privilege escalation, or defense evasion.
+#### Possible investigation steps
+- **Identify the actor and execution context**
+  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id`.
+  - Inspect `user.name`, `source.ip`, and `user_agent.original` to determine whether the modification originated from expected networks, automation roles, or unusual sources.
+- **Determine what was modified**
+  - Examine `aws.cloudtrail.request_parameters` to identify:
+    - The DB instance or cluster identifier.
+    - Whether other parameters were modified in the same call (e.g., `manageMasterUserPassword`, engine version, instance class, parameter group).
+  - Review instance metadata in AWS to understand the sensitivity level, environment (prod/stage/dev), and potential business impact.
+- **Reconstruct timing and associated actions**
+  - Use `@timestamp` to compare the event against:
+    - Recent configuration changes such as `ModifyDBInstance`, `ModifyDBCluster`, or networking/security group updates.
+    - Other access-related operations (e.g., `AddRoleToDBInstance`, changes to Secrets Manager associations, disabling deletion protection).
+  - Check for signs of credential misuse leading up to the event (e.g., `DescribeDBInstances`, `GetCallerIdentity`, unauthorized console logins).
+- **Correlate with broader activity**
+  - Pivot in CloudTrail using the same access key, principal ARN, or source IP.
+  - Look for:
+    - Privilege-escalating or persistence-related behavior (IAM policy changes, role modifications, STS session creation).
+    - Subsequent DB-impacting operations, such as snapshot deletion, backup retention changes, or cluster deletion.
+    - Evidence of data access anomalies (backup exports, data snapshot copies, cross-region actions).
+- **Validate intent with operational owners**
+  - Confirm with DBAs, platform engineers, and application owners whether the password change:
+    - Was requested or scheduled.
+    - Aligns with pending migrations, credential rotations, or recovery actions.
+  - If not recognized, treat this as a high-risk event requiring deeper containment.
+### False positive analysis
+- **Recovery or maintenance tasks**
+  - Password resets occur during lost-credential scenarios or planned rotations. Confirm if this aligns with a documented workflow.
+- **Secrets Manager integration changes**
+  - When `manageMasterUserPassword` is toggled or Secrets Manager rotates passwords, a modification event may occur. Validate whether an automation pipeline triggered the change.
+- **Non-production workloads**
+  - Development or staging environments may see frequent password resets. Consider tuning exceptions based on tags, instance identifiers, or IAM roles tied to automation.
+### Response and remediation
+- **Contain unauthorized access**
+  - If activity is suspicious:
+    - Immediately rotate the master password again using a secure, validated workflow.
+    - Verify whether Secrets Manager integration was disabled (`manageMasterUserPassword=false`) and restore it if necessary.
+    - Restrict inbound DB access by tightening associated security group rules or isolating the instance temporarily.
+- **Investigate surrounding activity**
+  - Review CloudTrail to identify:
+    - Who accessed the instance after the password change.
+    - Whether any destructive or data-exfiltrating RDS actions occurred.
+    - Other IAM or STS activity tied to the same user or session.
+- **Restore guardrails and enhance monitoring**
+  - Ensure deletion protection, backup retention, and networking controls are correctly configured.
+  - Add real-time alerts for password-related modifications and high-risk RDS API actions.
+- **Strengthen IAM and operational controls**
+  - Limit permissions for `rds:ModifyDBInstance` and `rds:ModifyDBCluster`, especially when modifying authentication parameters.
+  - Require MFA and role-based access for DB administrators.
+  - Tighten SCPs or Config rules to restrict unauthorized DB configuration changes.
+### Additional information
+- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)**
+- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)**
+- **Security Best Practices:** [AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/).
 """
 references = [
     "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html",
@@ -77,7 +130,7 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
-any where event.dataset == "aws.cloudtrail"
+info where event.dataset == "aws.cloudtrail"
     and event.provider == "rds.amazonaws.com"
     and event.action in ("ModifyDBInstance", "ModifyDBCluster")
     and event.outcome == "success"
@@ -96,6 +149,8 @@ id = "T1098.001"
 name = "Additional Cloud Credentials"
 reference = "https://attack.mitre.org/techniques/T1098/001/"
 [rule.threat.tactic]
 id = "TA0003"
 name = "Persistence"
@@ -114,3 +169,22 @@ framework = "MITRE ATT&CK"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+[rule.investigation_fields]
+field_names = [
+    "@timestamp",
+    "user.name",
+    "user_agent.original",
+    "source.ip",
+    "aws.cloudtrail.user_identity.arn",
+    "aws.cloudtrail.user_identity.type",
+    "aws.cloudtrail.user_identity.access_key_id",
+    "target.entity.id",
+    "event.action",
+    "event.outcome",
+    "cloud.account.id",
+    "cloud.region",
+    "aws.cloudtrail.request_parameters",
+    "aws.cloudtrail.response_elements",
+]

nldcsc-elastic-rules 0.0.8__py3-none-any.whl → 0.0.16__py3-none-any.whl

nldcsc-elastic-rules 0.0.8py3-none-any.whl → 0.0.16py3-none-any.whl