Summary
Within our latest content release we are introducing a new set of rules related to our 5th Threat Research Campaign structured around Docker, Azure, and Linux. We also made Mapper additions to support Cisco Meraki events ingested via C2C, Cyber Ark Mapper improvements, and new Jamf Audit User Event and Jamf Protect Mappers.
Rules
- [New] MATCH-S00864 Azure Firewall Rule Modified Description: The Azure Firewall may provide egress and ingress controls for a variety of Azure services; unexpected or unplanned firewall modifications should be investigated.
- [New] AGGREGATION-S00006 Docker Enumeration Detected on Host Description: Threat actors will aim to enumerate various permissions and settings on hosts with Docker installed; this enumeration can potentially lead to exploitation avenues.
- [New] FIRST-S00031 First Seen IP Address Associated with User for a Successful Azure AD Sign In Event Description: User has successfully signed into an Azure resource with a first seen IP address since the baseline period.
- [New] FIRST-S00032 First Seen Kubectl Command From User Description: User has issued a Kubectl command which was first seen since the baseline period on hostname.
- [New] THRESHOLD-S00112 Multiple Azure Firewall Deny Events for IP Description: An Azure firewall has denied a large number of request from an IP address within a short time window.
- [New] THRESHOLD-S00113 Multiple Azure Firewall Deny Events for URL Description: An Azure firewall has denied a large number of requests to a URL within a short time window.
- [New] MATCH-S00865 Potential Docker Escape via Command Line Description: This rule looks for whether the raw Docker socket was used for container creation as well as a bind mount of /hostfs which could facilitate a container escape and allow command execution on the Docker host.
- [New] CHAIN-S00014 Potential Docker container escape via Cgroups. Description: A Docker container running with the privileged flag may be exploited by threat actors, potentially resulting in an escape from the Docker container to the host that it is running on. This can result in various privilege escalation opportunities.
- [New] CHAIN-S00015 Suspicious Linux Execution Chain Description: This alert looks for a number of search expressions that result in a suspicious Linux execution chain. Specifically, a file that is created in a users' home directory or in /tmp, followed by a chmod and file execution, as well as the process making a network connection.
Log Mappers
- [New] Cisco Meraki File Scanned - C2C
- [New] Cisco Meraki IDS Alert - C2C
- [New] Cisco Meraki Organization Configuration Change - C2C
- [New] Cisco Meraki Wireless Air Marshall - C2C
- [New] Jamf Audit User - Events
- [New] Jamf Protect Analytics - Events
- [Updated] Cisco Meraki 8021x
- [Updated] Cisco Meraki Catch All - Custom Parser
- [Updated] Cisco Meraki Client Association
- [Updated] Cisco Meraki Content Filtering Block - Custom Parser
- [Updated] Cisco Meraki Flow Start_End - Custom Parser
- [Updated] Cisco Meraki Flows - Custom Parser
- [Updated] Cisco Meraki IDS - Custom Parser
- [Updated] Cisco Meraki Security Filtering Disposition Change - Custom Parser
- [Updated] Cisco Meraki Security Filtering File Scanned - Custom Parser
- [Updated] Cisco Meraki URLS - Custom Parser
- [Updated] Cisco Meraki WPA - Custom Parser
- [Updated] Cyber Ark 01
- [Updated] Cyber Ark EPM AggregateEvent
- [Updated] Cyber Ark EPM AuditAdmin
- [Updated] Cyber Ark EPM GetComputer
- [Updated] Cyber Ark EPM Policy
- [Updated] Cyber Ark EPM RawDetails
- [Updated] Cyber Ark EPM RawEvents
- [Updated] Cyber Ark Vault JSON
- [Updated] Jamf Parser - Catch All
Parsers
- [New] /Parsers/System/Cisco/Cisco Meraki C2C
- [New] /Parsers/System/Sophos/Sophos Central C2C JSON
- [Updated] /Parsers/System/Jamf/Jamf